Raghunandan P (raghup) writes: > IKEv2 protocol supports continous channel mode, which implies that once > we delete IKEv2 SA, all the IPSec SAs created using this IKEv2 SA also > get deleted. However, if the last IPSec SA is deleted, the IKEv2 SA is > not deleted. Is this understanding correct?
Yes, that is correct. You can have IKE SA without any Child/IPsec SAs. > If the above is correct, what is the purpose of having this standalong > IKEv2 SA? Since maintaining the IKEv2 SA consumes resources in the > system, what is the advantage offered by having this standalong IKEv2 > SA? Lets say you have situation where you create new Child/IPsec SA for each TCP connection. With for example web traffic those TCP connections are quite short lived, and it would be very expensive to create new IKE SA for each of them, so you want to create them using same IKE SA. When the last TCP connection goes away (and user is reading the web page), the IKE SA will still be kept there, and then when user clicks some link to fetch more stuff from the server, new TCP connections are created, and those can be created using the already existing IKE SA. So in some scenarios it is advantageous to keep the IKEv2 SA up even after the last Child/IPsec SA disappears. In some scenarios it might be useful to put some kind of idle timer there, and delete that IKEv2 SA if it stays there for too long (for example more than 10-30 minutes). > If the standalone IKEv2 is indeed brought up, when is this IKEv2 SA > deleted and what is the method used to delete this IKEv2 SA? One example > is a phase 2 proposal mismatch, in which case, we can still bring up the > IKEv2 SA only. How is the IKEv2 SA deleted in this case and in any other > general case? IKEv2 SAs are only deleted by two ways: 1) Explicit INFORMATIONAL exchange having delete payload in request packet (with Protocol ID 1 for IKE_SA, and empty SPI), and other ends response packet (without delete payload, so this response is usually just empty packet (i.e only encrypted payload but nothing in there). 2) By timeout, i.e. if other end does not send response to the request that has been "retransmitted at least a dozen times over a period of at least several minutes before giving up on an SA". In that case the IKE SA is simply remoeved from memory, without further communcations to the other end. Note, that case 1 applies also to the old IKE SA after IKE SA rekey, i.e. even that will be deleted by sending delete payload in INFORMATIONAL exchange. > I could not find much information on this in the draft and hence more > clarity would help. Case 1 is explained in section 3.11 of RFC 4306 and section 5.8 of RFC4718. Case 2 is explained in section 2.4 of RFC 4306. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
