ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] CHILD_SA and PFS

Re: [IPsec] CHILD_SA and PFS

From: Yoav Nir <ynir_at_nospam>
Date: Tue Nov 20 2007 - 13:53:27 GMT
To: Tero Kivinen <kivinen@iki.fi>, ipsec@ietf.org

This assumes that generating a new IKE SA is a painless procedure. For clients, this could mean keying in a passcode from a token, or entering a password or pushing some button on a phone.

Even if generating an IKE SA is painless, it's also bad if you need multiple SAs. Only the first SA (the one that happened to trigger IKE) will succeed. All the others will fail (assuming all require PFS). So we have a badly mismatched configuration that occasionally works.

On Nov 20, 2007, at 3:20 PM, Tero Kivinen wrote:

> Yoav Nir writes:
>> I can think of two ways to fix this:
> I think the easiest is to fix the configuration. Note that this does
> not cause any big problem even if nothing is done. The IPsec SA rekey
> will fail, which means the IPsec SA will expire, and when creating new
> IPsec SA fails too, the initiator will tear down the IKE SA, and
> recreate it, which will again generate new IKE SA and IPsec SA and
> traffic works again. I.e every few hours there is few seconds when
> traffic does not work because of configuration error. If the user
> wants to get rid of it he should fix the confuration.
> --
> kivinen@safenet-inc.com

IPsec mailing list