Hi Raghu. You are correct. It is not mandatory to delete an IKE SA without child SAs.
The draft does not specify the complete behavior of all products that implement it. It describes a language (IKE) by which two implementations may "converse" If is perfectly valid to create an implementation where having a "child-less" IKE SA is not acceptable. Such an implementation would delete the IKE SA if no child SAs are left. It is also perfectly valid not to do so. For an example, think of the remote access case using EAP for user passwords (or using certificate stored in MS CAPI or Apple Keychain, where you need a password to unlock the cert). Setting up an IKE SA is not only computationally intensive (Diffie-Hellman), but also intrusive as it requires user interaction. Suppose we had a child SA used to reach the mail server. Since the mail client only connects once every 10 minutes, the child SA times out and is deleted without a rekey. If either the client or the gateway now delete the IKE SA, then we will again require user interaction to set up the new IKE SA. That is not the user experience we want. Better to keep the IKE SA and have the child SA set up automatically when the need arises. Hope this helps Yoav ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Raghunandan P (raghup) Sent: Monday, March 09, 2009 12:09 PM To: [email protected] Subject: [IPsec] Query on IKEv2 SA Hi, I had a query related to the IKEv2 SA existance and the method used to delete it. IKEv2 protocol supports continous channel mode, which implies that once we delete IKEv2 SA, all the IPSec SAs created using this IKEv2 SA also get deleted. However, if the last IPSec SA is deleted, the IKEv2 SA is not deleted. Is this understanding correct? If the above is correct, what is the purpose of having this standalong IKEv2 SA? Since maintaining the IKEv2 SA consumes resources in the system, what is the advantage offered by having this standalong IKEv2 SA? If the standalone IKEv2 is indeed brought up, when is this IKEv2 SA deleted and what is the method used to delete this IKEv2 SA? One example is a phase 2 proposal mismatch, in which case, we can still bring up the IKEv2 SA only. How is the IKEv2 SA deleted in this case and in any other general case? I could not find much information on this in the draft and hence more clarity would help. Thanks Raghu Email secured by Check Point
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
