IETF Logo Mail Archive

Re: [Hipsec] some comments for mm-03: CLOSE vs. UPDATE

Jan Mikael Melen <Jan.Melen@nomadiclab.com> Mon, 10 April 2006 06:16 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSph6-0001Ex-O8; Mon, 10 Apr 2006 02:16:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FSph4-00017W-8T for hipsec@ietf.org; Mon, 10 Apr 2006 02:16:10 -0400
Received: from n2.nomadiclab.com ([193.234.219.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FSpVr-0000in-SU for hipsec@ietf.org; Mon, 10 Apr 2006 02:04:38 -0400
Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id E9FB3212C5D; Mon, 10 Apr 2006 09:04:33 +0300 (EEST)
Received: from n50.nomadiclab.com (n50.nomadiclab.com [193.234.219.50]) by n2.nomadiclab.com (Postfix) with ESMTP id 9E12C212C4E; Mon, 10 Apr 2006 09:04:33 +0300 (EEST)
From: Jan Mikael Melen <Jan.Melen@nomadiclab.com>
To: hipsec@lists.ietf.org
Subject: Re: [Hipsec] some comments for mm-03: CLOSE vs. UPDATE
Date: Mon, 10 Apr 2006 09:05:09 +0300
User-Agent: KMail/1.8.2
References: <77F357662F8BFA4CA7074B0410171B6D01A2EFB1@XCH-NW-5V1.nw.nos.boeing.com> <Pine.GSO.4.58.0604081428130.17314@kekkonen.cs.hut.fi> <7D039943-1FBB-4997-97F4-FCEFE72B53EF@nomadiclab.com>
In-Reply-To: <7D039943-1FBB-4997-97F4-FCEFE72B53EF@nomadiclab.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200604100905.10994.Jan.Melen@nomadiclab.com>
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 50a516d93fd399dc60588708fd9a3002
Cc: hipsec@ietf.org
X-BeenThere: hipsec@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/hipsec>
List-Post: <mailto:hipsec@lists.ietf.org>
List-Help: <mailto:hipsec-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@lists.ietf.org?subject=subscribe>
Errors-To: hipsec-bounces@lists.ietf.org

Hi,

I just want to say that I agree with Pekka that using the CLOSE message for 
closing something else than the whole HIP association is a bad idea. IMHO the 
semantics of CLOSE and UPDATE are different. UPDATE means that you are 
updating something and still want to continue using the previously created 
HIP association. CLOSE means that you want to end the communication, you 
don't want to send anymore anything using the existing HIP association.

  Regards,
    Jan

On Monday 10 April 2006 06:37, Pekka Nikander wrote:
> [Answering bit-by-bit as most probably I won't have time to go
> over all related messages at this point of time.]
>
> >>> The SAs are closed as defined as in <xref="hip-base"> in the general
> >>> case. As such, closing of the SAs causes all of the SAs to be closed
> >>> also in multihoming scenarios. A host MAY add an ESP_INFO
> >>> parameter to
> >>> a CLOSE message to signal that a specific SA is to be close. The
> >>> CLOSE-ACK message should also include the same ESP_INFO
> >>> parameter. In
> >>> the ESP_INFO parameter, the old SPI corresponds to SA to be
> >>> removed. The new SPI and keymat index are set to zero.
> >>
> >> I do not necessarily agree with this, and would like to hear other
> >> opinions.  CLOSE should close all security associations; if a
> >> specific
> >> SA is to be closed while others remain open, it should be possible
> >> to do
> >> so through the UPDATE protocol.
> >
> > So, there seems to be some redundancy with CLOSE and UPDATE. In
> > fact, I'd
> > say that the CLOSE could be replaced with UPDATE as it implements
> > only a
> > subset of UPDATE. Petri, Pekka, others - comments?
>
> IIRC, CLOSE was added fairly late in order to allow the _HIP_
> association to be cleanly torn down.  I think Erik Nordmark suggested
> adding it.
>
> I don't think it is a good idea to use CLOSE for closing SAs, or for
> any other purpose than closing the who HIP SA.  If I understand
> correctly the text above, you Miika are suggesting to use CLOSE to
> close only specific ESP SAs but not the HIP association.  That sounds
> like a pretty bad idea to me, confusing the semantics of CLOSE.  But
> perhaps I don't understand what you are suggesting, Miika?

_______________________________________________
Hipsec mailing list
Hipsec@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/hipsec

v2.23.0 | Report a Bug | By Email