Re: [IPsec] Additional charter items 1/4: Responder MOBIKE

"Valery Smyslov" <> Tue, 20 February 2018 15:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 471CA127867 for <>; Tue, 20 Feb 2018 07:24:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.199
X-Spam-Status: No, score=-1.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_WEB=1.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ve1We8XaxoLU for <>; Tue, 20 Feb 2018 07:24:43 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 625281242F7 for <>; Tue, 20 Feb 2018 07:24:43 -0800 (PST)
Received: by with SMTP id 70so4751576lfw.2 for <>; Tue, 20 Feb 2018 07:24:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-transfer-encoding:thread-index :content-language; bh=kKIZvnl84xHwzkQphlB2CT4IvG4RSL++ADiAZacqCMk=; b=kNOo4fG16YZX4hw2AcxjzMyEGd9ZmDylgJIFjNxVpmMHGCX9NG/d7HyHIF2C+YFBWf jiUXEJ+ojRuMa+i7rU+puV2TEMfz2Q3y4rC/9amOy4hpxi72EBq0ozHdfjQnOlftWUPf NoyxYdYOCEkg6+CqiFxXXYoqeFgu9mvI26z8kgg2ivn0c6LV15mY+pFhU5YX/Q1aqJq6 vNN8H8UgFjkrmXq4qG2/dA0Vb4cZ2/rK/vXMY8GOIyn0eiuMDG7Fgj+pi+/jraJ6fWGY iNEYXeYOuZO9lewuYR8FCmXEsVpvj9XDi0kNlFvdVCvuQ/mF0E+fQIeQmwYC3GB8R2US 92RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-transfer-encoding:thread-index :content-language; bh=kKIZvnl84xHwzkQphlB2CT4IvG4RSL++ADiAZacqCMk=; b=O37Resq2N5StvbrMro65AsqdNl3n/AdzVwqusmXfNwTBj5mJRpcUocvS+mh4evEoec T1tGFpjPzQr/vc5Ll/6Wx9Ywp/9zIsVjxEcfJmlarG6IochSqcwKFmEiIc/VmfnqRqit v+uvt9X0S6phhglVk2KgqMHDSmnY5nkgf65JV3WKr+7ireR9rTl9FonRv7wcrpHHGlu9 skd+/yh3yTSKGpgC/lLoIU5Zg5lLgwgj+nUdWSj07P5tnYBkNDObfYi1eqdWpS7ge7Tq JWIFzZtJov5XOaEgaI65TNHSPIB20DDS9irX0TsaWP1uw3ic2VIuA9h6up0FmvkhkrfY FPjQ==
X-Gm-Message-State: APf1xPCf0hVn0UwZvqAYY932LnB1D1eS25Lu1JHHTsRHj+sUBLGdgGW0 SEHN9DEjTJSPn79zvImvLPfxMQ==
X-Google-Smtp-Source: AH8x22782Dj7gyd2gh9dA3F24+B+1ivlJ9IAO3dWtk9kfP2nCIFwByKCoCJzBx+oDYCew7nmVmXy5Q==
X-Received: by with SMTP id r135mr3674lfe.80.1519140281206; Tue, 20 Feb 2018 07:24:41 -0800 (PST)
Received: from buildpc ([]) by with ESMTPSA id m74sm830700lfe.85.2018. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 20 Feb 2018 07:24:40 -0800 (PST)
From: "Valery Smyslov" <>
To: "'Tero Kivinen'" <>
Cc: <>
References: <> <02c501d3a95e$a5d73200$f1859600$> <>
In-Reply-To: <>
Date: Tue, 20 Feb 2018 18:24:38 +0300
Message-ID: <038e01d3aa5e$ec66bc80$c5343580$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJXnlQnOgkoKoWaf0xqED6y+ZUK7AHZIA6IAi7r5FqihL8fsA==
Content-Language: ru
Archived-At: <>
Subject: Re: [IPsec] Additional charter items 1/4: Responder MOBIKE
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Feb 2018 15:24:45 -0000

Hi Tero,

> Valery Smyslov writes:
> > 3. MOBIKE. In current MOBIKE only initial initiator can initiate change of IP addresses.
> >      If this problem is solved, then this is the best choice for load sharing clusters.
> Mobike is symmetric in IKEv2 level. Either end can have multiple IP
> addresses and can change the address at will. 

This is true. However, it is the original initiator who decides which addresses to use.
The original responder mostly plays passive role, only informing the initiator
which addresses are available.

> The problem is that you
> want something else than that, i.e., you do not want responder to
> change IP address and start using that as you can with MOBIKE. I think
> what you are really wanting is to responder to signal and ask for the
> initiator to change the address because you assume there is NAT
> between and if the responder just starts sending packets from new
> source IP address then they do not reach the initiator?


> Note, the initiator do select the address pair to be used in the IPsec
> SA, but for the IKEv2 SA the exchange initiator selects which address
> pair is used. (RFC4555 section 2.1, last sentence of the 2nd
> paragraph).

It states that " the exchange initiator _can_ decide which addresses are used."
While he/she definitely can, the exchange would fail in case of restricted
NAT if the responder initiated the exchange from the IP address 
the NAT box has no mapping for.

> Also I think this can also already be done using standard RFC4555
> mobike. In the section 3.5 says when the initiator should change the
> address and one of the examples it gives is:
>    o  An INFORMATIONAL request containing an ADDITIONAL_IP4_ADDRESS,
>       is received. This means the peer's addresses may have changed.
>       This is particularly important if the announced set of addresses
>       no longer contains the currently used address.
> The responder can simply do following describined in the RFC4555
> section 3.6:
>    There is one additional complication: when the responder wants to
>    update the address set, the currently used addresses may no longer
>    work. In this case, the responder uses the additional address list
>    received from the initiator, and the list of its own addresses, to
>    determine which addresses to use for sending the INFORMATIONAL
>    request. This is the only time the responder uses the additional
>    address list received from the initiator.

If original responder used its address the NAT box has no
mapping for yet, the exchange would fail.

> I.e., if it wants to move initiator from IP_R1 to IP_R2 it simply
> sends INFORMATIONAL exchange with source address of IP_R2 to IP_Ix and
> usable addresses and when initiator sees this it will immediately
> trigger to change the addresses used for IKEv2 SA and IPsec SA.
> Of course one of the issues that if there is restricted NAT between
> hosts then packet from IP_R2 will not reach the initiator, unless the
> initiator has opened that port pair also in the NAT (which it can do
> by sending probe/keepalive packets out to the responder using all
> address from the responder).

In MOBIKE the initiator is not obliged to do this. Section 3.10:

   Implementations MAY do path testing even if
   the path currently being used is working to, for example, detect when
   a better (but previously unavailable) path becomes available.

> So at least the charter text is misleading, as I think this can
> already be done without any problems with MOBIKE as long as there is
> no NATs between, and even if there is NAT, the initiator can simply
> send keepalives for all responder addresses, and then it works. 

If there is no NAT in between, then there is no problem.

In real life there is a NAT in most cases. And while in presence
of NAT in theory unmodified MOBIKE _may_ work, there are too many 
vague places in the RFC that makes this problematic:
 - the initiator is not obliged to probe addresses other than the currently used ones
 - even if it probes, it may do it too rarely, so that the created NAT mapping 
   will expire

So, there is no guarantee for a cluster that the operation
of moving a client from one node to another will succeed.
I'd like such operations to be more deterministic.

> Note, that even in that case there is no protocol changes with them, and
> even if the address update from responder never reaches the initiator
> the MOBIKE still works, as long as the responders stops responding to
> the IP_R1 address (i.e., the address where it wants the initiator to
> move away from).
> I.e., if responder has IP_R1 and IP_R2 addresses, and initiator is
> using IP_R1, and responder wants it to stop using it and move to
> IP_R2, then it is simply enough to stop responding to packets coming
> to the IP_R1. The initiator will detect this and move to use IP_R2...
> Yes, there will be short delay causing packets to be lost in this
> case. 

We seem to have different view of what "short" means :-)

The initiator doesn't sent liveness checks continuously.
It start probing current path if it suspects there is something wrong with it,
e.g. there is no IPsec packets from the responder for some period
of time. This period cannot be too short, it is usually tens of seconds 
to minute. Then, when starting probing the current path the initiator 
performs several retransmissions before giving up. And again, the timeout
cannot be too short, it is usually at least ten seconds, more likely 
about a minute. So your "short" delay is at least about a minute,
or even more. 

I don't think this delay is appropriate for any real-time traffic.

Needless to say that this approach also complicates cluster implementation.
To move a client from one node to another the cluster needs first to
send ADDITIONAL_*_ADDRESS that contains only the address of the node
the cluster wants to move client to. Then the IKE SA state must be transferred 
to a new node and the current node must stop responding to this client.
Then the cluster would wait until the client detects the failure and switches
itself to a new node. And there is also a chance that there are some IKE exchanges 
in progress, so if the node stops responding the exchanges could time out the and
the IKE SA would be deleted before the movement takes place (in my proposal
the MOBIKE is combined with RFC6311 exchange to make this working)...

> This delay will be eliminiated if the address update from
> responder reached initiator, i.e., if the initiator kept the ports
> open in NAT or if there is no NAT between.

There is absolutely no guarantee that it will work.
I'd like to have something more reliable.


> --