Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr

To: "ipsec at ietf.org" <ipsec at ietf.org>
Subject: Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
From: Michael Richardson <mcr at sandelman.ottawa.on.ca>
Date: Wed, 06 May 2009 08:58:59 -0400
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <9FB7C7CE79B84449B52622B506C780361338598109 at il-ex01.ad.checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <7ccecf670904212100o5ee2fe2dydb4bfdba2f414b4b at mail.gmail.com> <99043b4a0904212310q1f0b1a2em7aed8b5114791f45 at mail.gmail.com> <99043b4a0904212310y4572a41dy32c4da6b63580f52 at mail.gmail.com> <7ccecf670904212328u67fd961cj33dd1d0b4bb0be6a at mail.gmail.com> <99043b4a0904212337w11be053cg480f80592a6c513e at mail.gmail.com> <99043b4a0904212338l74e47c3ftae1b7a14aa8db5b6 at mail.gmail.com> <7ccecf670904212351n6494a683x87384b409d14d9c2 at mail.gmail.com> <9FB7C7CE79B84449B52622B506C780361338597890 at il-ex01.ad.checkpoint.com> <4A009310.2020904 at sandelman.ca> <9FB7C7CE79B84449B52622B506C780361338598109 at il-ex01.ad.checkpoint.com>
Sender: mcr at marajade.sandelman.ca

Let me suggest a situation where perhaps I would like to bring up
an IKE_SA and not a CHILD_SA: it might be for just sending initial
contact, and perhaps even a DELETE.

I sometimes move quickly from being "outside" my IPsec gateway/firewall
(such as being on wireless), to being wired behind the gateway, where I
do not need IPsec.  The DPD doesn't kick off fast enough, and my traffic
goes to where I am no longer.  It would be nice to bring up the IKE_SA
(or... haha, resume it), just so that I can send a delete and/or
initial_contact. 

Seems like to do this, once needs to include a known-to-be-unacceptable
CHILD_SA proposal.

-- 
]     Y'avait une poule de jammé dans l'muffler!!!!!!!!!        |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Follow-Ups:
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Tero Kivinen
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Yoav Nir

References:
- [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: raj singh
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Matthew Cini Sarreo
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: raj singh
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Matthew Cini Sarreo
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: raj singh
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Yoav Nir
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Michael Richardson
- Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
  - From: Yoav Nir

Prev by Date: Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
Next by Date: Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
Previous by thread: Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
Next by thread: Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr
Index(es):
- Date
- Thread

Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.