1. Field of the Invention
The present invention relates generally to data networks, and more specifically to a technique for generating control messages with reason information between nodes in a data network.
2. Description of Related Arts
Network communication protocols have become increasingly sophisticated over the past few years. One particular area concerning communication protocols which has received much attention relates to the field of network security. This is particularly evident in global communication networks such as the Internet. For example, a number of standardized security-related protocols and/or definitions have been established for achieving acceptable levels of security over the Internet. Such standardized protocols include, for example, Internet Key Exchange (IKE) protocol, IP Security (IPSec) protocol, Internet Security Association Key Management Protocol (ISAKMP), etc. The Internet Key Exchange protocol is defined in RFC 2409, the IP Security protocol is defined in RFC 2401, and the Internet Security Association Key Management Protocol is defined in RFC 2408. Each of these documents is incorporation herein by reference in its entirety for all purposes.
As commonly known to one having ordinary skill in the art, implementation of Internet Security Protocols (such as those described above) between nodes in an IP network involves the establishment of different types of Security Associations (SAs) for providing secure communication of traffic between network nodes. Conventionally, every Security Association (SA) has a unique ID which serves as a mechanism for generating keying materials for purposes of allowing encrypted communication between network nodes. According to the conventional IKE protocol, different types of SAs may be used for communicating different types of information between two network nodes.
Typically, in order to pass encrypted traffic between two network nodes, an IKE SA (commonly referred to as a “Phase 1” SA) is first established between the network nodes. The Phase 1 SA is typically used to pass control signal information between the network nodes. Such a control information may include, for example, keep alive or heartbeat messages.
After the Phase 1 SA has been established, one or more IPSec SAs (commonly referred to as “Phase 2” SAs) may be established for allowing encrypted data to be passed between the network nodes. According to conventional practice, a Phase 1 SA may be used to initiate one or more Phase 2 SAs. Typically, Phase 1 SAs are initiated between network nodes for allowing control messages to be exchanged between the nodes, whereas Phase 2 SAs are used for allowing packets and/or encrypted IP data to be exchanged between the nodes.
According to conventional IP security techniques, a Phase 2 SA can only be initiated after its associated Phase 1 SA has been established. However, the expiration of Phase 1 and Phase 2 SAs may occur independently from one another. Thus, it is possible for one or more Phase 2 SAs to continue after the expiration of their associated Phase 1 SAs.
In many conventional IP networks, IKE keep-alive messages are typically used for dead-peer detection and consequent fail-over implementation. According to conventional practice, once the Phase 1 SA expires, the negotiated keep-alive control messages will also expire. Consequently, it is typically the case that two IPSec peers will exchange no further keep-alive messages until the Phase 1 SA renegotiates, either by renegotiating the Phase 2 SA, or by user intervention. Thus it will be appreciated that there exists a period of time between the expiration of the Phase 1 SA and the expiration/renegotiation of the Phase 2 SA where no keep-alive or heartbeat messages are transmitted between the two peers. As a result, any fail-over mechanisms between the two peers will be disabled during this time.
Typically, when a Phase 1 SA expires, the router which originally initiated the Phase 1 SA will check to see whether the expiring Phase 1 SA is related to any active Phase 2 SAs. If any active Phase 2 SAs are identified, the router will initiate a Phase 1 renegotiation. This process may continue until all the associated Phase 2 SAs have expired. If no associated Phase 2 SAs are identified, then it may be assumed that no traffic is flowing between the router and its peer. Accordingly, the router will allow the Phase 1 SA to time out, and as a consequence, the keep-alive messages will also time out.
It will be appreciated that situations may arise in which it is desired to delete a selected Phase 1 SA without deleting related Phase 2 SAs. For example, a system administrator may wish to manually clear the Phase 1 SA. Alternatively, an error relating to the Phase 1 SA may be detected and, in response, automatic or manual deletion of the Phase 1 SA may be initiated. However, according to the conventional IKE and IPSec protocols, the deletion of any given Phase 1 SA having active, associated Phase 2 SAs will result in the Phase 1 renegotiation. Thus, according to conventional techniques, even if it is desired to delete a selected Phase 1 SA, the existence of any related, active Phase 2 SA will result in the Phase 1 SA continuously renegotiating itself. Accordingly, it will be appreciated that there exists a general desire to improve upon security communication protocols implemented in IP networks.