[Hipsec] Completing 5201 state machine
Tobias Heer <heer@cs.rwth-aachen.de> Wed, 13 October 2010 16:11 UTC
Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 22A7F3A682A for <hipsec@core3.amsl.com>; Wed, 13 Oct 2010 09:11:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[AWL=-0.556, BAYES_20=-0.74, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FlHP7cympzAO for <hipsec@core3.amsl.com>; Wed, 13 Oct 2010 09:11:47 -0700 (PDT)
Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id 86D953A6A11 for <hipsec@ietf.org>; Wed, 13 Oct 2010 09:11:40 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0LA8005JUL1KY460@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Wed, 13 Oct 2010 18:12:56 +0200 (CEST)
X-IronPort-AV: E=Sophos;i="4.57,326,1283724000"; d="scan'208";a="76760525"
Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Wed, 13 Oct 2010 18:12:56 +0200
Received: from informatik-lufgi-4-137-226-59-218.nn.rwth-aachen.de ([unknown] [137.226.59.218]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0LA800GEPL1KD780@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Wed, 13 Oct 2010 18:12:56 +0200 (CEST)
From: Tobias Heer <heer@cs.rwth-aachen.de>
Date: Wed, 13 Oct 2010 18:12:55 +0200
Message-id: <917A9DF6-17C4-4AAF-9132-1A865D0A824B@cs.rwth-aachen.de>
To: HIP WG <hipsec@ietf.org>
X-Mailer: Apple Mail (2.1081)
Subject: [Hipsec] Completing 5201 state machine
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Oct 2010 16:11:53 -0000
Hello, the state machine of RFC5201 (not -bis) has some white spots which I try to cover now. Nothing essential is missing but it seems slightly underspecified the way it is now. Handling of the following packets is missing in some states: CLOSE, CLOSE_ACK, and NOTIFY. And it is not caught by the "handle ANYOTHER" rules that serve as catch-all. I'll list the changes that I'll make here and ask for feedback from the group and especially implementors. 1.) Receive CLOSE in state I2-sent: ------------------------------ Why can this happen? - R2 is lost (maybe repeatedly), Responder transitions to from R2-SENT to ESTABLISHED because of timeout, Responder decides to close association (because of some reason) Proposed action: process packet - successful: transition to CLOSING - fail: drop and stay at I2-sent 2.) Receive CLOSE in state R2-sent ------------------------------ Why can this happen? - Responder cannot observe data packet flow (this is the case for some implementations), Responder timeout for transition from R2-SENT to ESTABLISHED has not fired yet, Initiator decides to close association (because of some reason) Proposed action: process packet - successful: transition to CLOSING - fail: drop and stay at R2-sent 3.) Receive CLOSE_ACK in state R2-sent ------------------------------ Why can this happen? - It shouldn't but there is nothing specified. Proposed action: drop 4.) Receive NOTIFY in state R2-sent ------------------------------ Why can this happen? - Responder cannot observe the data channel and timeout has not fired yet. Proposed action: process and stay in R2 sent 5.) Receive CLOSE_ACK in state ESTABLISHED ------------------------------ Why can this happen? - It shouldn't but there is nothing specified. Proposed action: drop 6. Receive NOTIFY in state ESTABLISHED ------------------------------ Why can this happen? - Well, there are many reasons for this. This is normal behavior. Proposed action: process and stay in ESTABLISHED I would appreciate if you could have a look at the proposed changes and give feedback. None of the changes has dramatic effects on existing implementations of HIPv1 but 1) and 2) might require some minor change of code if the implementations don't handle (or handle differently) the CLOSE messages in these states. BR, Tobias -- Dipl.-Inform. Tobias Heer, Ph.D. Student Chair of Communication and Distributed Systems - comsys RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer blog: http://dtobi.wordpress.com/ card: http://card.ly/dtobi
- [Hipsec] Completing 5201 state machine Tobias Heer
- Re: [Hipsec] Completing 5201 state machine Henderson, Thomas R
- Re: [Hipsec] Completing 5201 state machine Miika Komu
- Re: [Hipsec] Completing 5201 state machine Tobias Heer
- Re: [Hipsec] Completing 5201 state machine Henderson, Thomas R
- Re: [Hipsec] Completing 5201 state machine Tobias Heer
- Re: [Hipsec] Completing 5201 state machine Laganier, Julien
- Re: [Hipsec] Completing 5201 state machine Tobias Heer
- Re: [Hipsec] Completing 5201 state machine Laganier, Julien