IETF Logo Mail Archive

Re: [Hipsec] Completing 5201 state machine

Tobias Heer <heer@cs.rwth-aachen.de> Tue, 19 October 2010 09:43 UTC

Return-Path: <heer@informatik.rwth-aachen.de>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B51903A63EC for <hipsec@core3.amsl.com>; Tue, 19 Oct 2010 02:43:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.377
X-Spam-Level:
X-Spam-Status: No, score=-4.377 tagged_above=-999 required=5 tests=[AWL=0.424, BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-1DRmRNJEFX for <hipsec@core3.amsl.com>; Tue, 19 Oct 2010 02:43:53 -0700 (PDT)
Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE [134.130.7.73]) by core3.amsl.com (Postfix) with ESMTP id E929E3A63D2 for <hipsec@ietf.org>; Tue, 19 Oct 2010 02:43:52 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.5.41]) by mta-2.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0LAJ00CUU73MT6B0@mta-2.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Tue, 19 Oct 2010 11:45:22 +0200 (CEST)
X-IronPort-AV: E=Sophos;i="4.57,349,1283724000"; d="scan'208";a="41309083"
Received: from relay-auth-2.ms.rz.rwth-aachen.de (HELO relay-auth-2) ([134.130.7.79]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Tue, 19 Oct 2010 11:45:22 +0200
Received: from umic-i4-137-226-45-90.nn.rwth-aachen.de ([unknown] [137.226.45.90]) by relay-auth-2.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0LAJ00IYB73M6C20@relay-auth-2.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Tue, 19 Oct 2010 11:45:22 +0200 (CEST)
From: Tobias Heer <heer@cs.rwth-aachen.de>
In-reply-to: <7CC566635CFE364D87DC5803D4712A6C4CEC451A09@XCH-NW-10V.nw.nos.boeing.com>
Date: Tue, 19 Oct 2010 11:45:21 +0200
Message-id: <BA13FE85-80E4-470C-BAD7-7348E1F7816A@cs.rwth-aachen.de>
References: <917A9DF6-17C4-4AAF-9132-1A865D0A824B@cs.rwth-aachen.de> <7CC566635CFE364D87DC5803D4712A6C4CEC451A09@XCH-NW-10V.nw.nos.boeing.com>
To: "Henderson, Thomas R" <thomas.r.henderson@boeing.com>
X-Mailer: Apple Mail (2.1081)
Cc: HIP WG <hipsec@ietf.org>
Subject: Re: [Hipsec] Completing 5201 state machine
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2010 09:43:55 -0000

Hi Tom, 

thanks for your review of this!

Am 19.10.2010 um 01:41 schrieb Henderson, Thomas R:

> Tobias, I reviewed the OpenHIP behavior to these white spots, below:
> 
>> -----Original Message-----
>> From: hipsec-bounces@ietf.org
>> [mailto:hipsec-bounces@ietf.org] On Behalf Of Tobias Heer
>> Sent: Wednesday, October 13, 2010 9:13 AM
>> To: HIP WG
>> Subject: [Hipsec] Completing 5201 state machine
>> 
[...]
>> 
>> 1.) Receive CLOSE in state I2-sent:
>> ------------------------------
>> Why can this happen?
>> - R2 is lost (maybe repeatedly), Responder transitions to
>> from R2-SENT to ESTABLISHED because of timeout, Responder
>> decides to close association (because of some reason)
>> 
>> Proposed action: process packet
>> - successful: transition to CLOSING
>> - fail: drop and stay at I2-sent
> 
> OpenHIP allows CLOSE in states ESTABLISHED, CLOSING, CLOSED, and R2_SENT, but does not process it in this state.
> 
> Can you clarify what you want to happen here?  Usually, if peer sends a CLOSE, you send CLOSE_ACK and transition to CLOSED, not to CLOSING.
> 
Good catch. Indeed I mean CLOSED. The host should send a CLOSE_ACK and transition to CLOSED.

I guess this case will only happen rarely - maybe never for some implementations. 

How do we end up here?

0.) I1, R1
1.) Initiator sends I2. 
2.) Responder sends R2
3.) R2 is lost or delayed
4.) Timeout at Responder fires: Responder transitions to ESTABLISHED
5.) Further I2 messages from Initiator are lost
6.) Responder decides to close the ESTABLISHED connection, sends CLOSE and transitions to CLOSING
7.) Now the Initiator receives the CLOSE message while in state I2-sent

I admit that the case is somewhat constructed but possible nonetheless.


>> 
>> 
>> 2.) Receive CLOSE in state R2-sent
>> ------------------------------
>> Why can this happen?
>> - Responder cannot observe data packet flow (this is the case
>> for some implementations), Responder timeout for transition
>> from R2-SENT to ESTABLISHED has not fired yet, Initiator
>> decides to close association (because of some reason)
>> 
>> Proposed action: process packet
>> - successful: transition to CLOSING
>> - fail: drop and stay at R2-sent
> 
> OpenHIP accepts this packet, sends CLOSE_ACK, and transitions to CLOSED.  As in 1) above, are you suggesting state CLOSING or CLOSED?
> 
Same as 1). Process, if valid: send CLOSE_ACK and transition to CLOSED.

Above you said that OpenHIP wouldn't process CLOSE messages in state R2_SENT. What do you mean by that? Isn't sending a CLOSE_ACK (as you mention for 2.) such processing? Am I confusing something here?


[...]


Tobias


-- 
Dipl.-Inform. Tobias Heer, Ph.D. Student
Chair of Communication and Distributed Systems - comsys
RWTH Aachen University, Germany
tel: +49 241 80 207 76
web: http://ds.cs.rwth-aachen.de/members/heer
blog: http://dtobi.wordpress.com/
card: http://card.ly/dtobi

v2.29.0 | Report a Bug | By Email | System Status