[Hampshire] IPSec question

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 

Reply to this message
Author: James Courtier-Dutton
Date:  
To: Hampshire LUG Discussion List
Subject: [Hampshire] IPSec question
Hi,

When IPSEC moves from one key to the next key, at what point does it
delete the old key.
I have read the IPSEC RFCs and IKE negotiates a new key, and has a
command to delete the old SA and thus the old key, but what triggers
the delete command?

The problem lies with the fact that packets can arrive out of order.
So, if the sending station starts using the new key, and packet can
arrive at the receiving station with the new key, and then followed by
a packet using the old key. So the receiving station cannot delete the
old SA immediately.

Possible options:
1) Wait for "anti-replay window size" packets with the new key then
delete old key.
2) Wait "X" seconds after the first packet with the new key and then
delete the old key, where "X" is greater than the max latency of the
network.

James


This message was posted to the following mailing lists:
Hampshire LUG
Mailing List Info | Nearby Messages		<-Re: [Hampshire] Macbook Air (ok, it's not factory linux but you can install it)Re: [Hampshire] Sun to Buy MySQL->
Hampshire LUG Mailing List Archive administrated by WebmasterLurker (version 2.3)