|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Error in ips-security-07Excerpt of message (sent 26 January 2002) by Black_David@emc.com: > This is the infamous "dangling SA" issue discussed in ipsec > in the past. While I don't recall its resolution, the IKEv2 > draft prohibits dangling SAs, and the IPS Security draft is > taking the same position. OTOH, I seem to recall that IKEv1 > implementations differ on whether dangling SAs are allowed. > Paul - are you suggesting that prohibiting dangling SAs > would unnecessarily exclude some IKEv1 implementations to > our detriment? I'm not sure what "dangling SAs" are, or whether that term applies to the case you're talking about here. I'll have to look at IKEv2 to see what the story is there. As for IKEv1, the spec explicitly discusses deleting the Phase 1 SA immediately after the Phase 2 negotation (Quick Mode) has been performed, in situations where you want Perfect Forward Secrecy. So it's not just that this is silently permitted -- it is explicitly recommended. Therefore I think it is a very bad idea for the IPS security spec to explicitly disallow that same behavior! I've run into several implementations that built in an assumption that the Phase 2 SA is subordinate to the Phase 1 SA. That's simply a wrong assumption, as the text I quoted makes clear, and such assumptions caused interop problems in interop test sessions. I remember having to fix this bug in our implementation at some point. We need to make sure we don't duplicate those bugs here. In any event, I cannot see any reason for the IPS spec to discuss this topic at all. SAs should be deleted when the IKE/IPsec specs call for their deletion and not otherwise. Why should IPS care what those rules are? We already have a lot of dabbling in internal IPsec/IKE detail going on in the IPS security spec. Talking about requirements subsetting is one thing -- restating IKE algorithms is quite another, especially if the restatement conflicts with the authoritative text. It *is* correct for the IPS spec to say what you do to a connection when the SA protecting it goes away. That's already covered (on page 12); the current text makes sense to me. paul
Home Last updated: Mon Jan 28 11:18:05 2002 8513 messages in chronological order |