Re: [IPsec] IKEv2 initial contact handling?

[Tero Kivinen <kivinen@iki.fi>]

Kanaga Kannappan writes:
> Yes, we can retain the IPsec SAs on responder to avoid blackholing. 
> 
> But in IKEv2, IKE & IPsec SAs are tied together and, in this case we
> would have to create an exception, where IPsec SA would live without
> a parent IKE SA. 

No.

First of all INITIAL_CONTACT is never sent rekeying so that is not a
problem. It is only sent when the end does not have any IKE or IPsec
SAs with the other end. Secondly, you are only supposed to delete IKE
SAs you have with the other end, i.e. not the ones you are middle of
negotiating with. Also as this notification is included in the
IKE_AUTH, it can only happen if the IKE_AUTH payloads really cross
each other on the wire.

As it might be possible that the first packets did cross on the wire,
but one of them got lost, and thats why it looks like the other peer
is sending INITIAL_CONTACT notification even after the first IKE SA
has already been created, you still need to take care of that
situation. I.e. the generic case you need to take care of is:

   Host A			    Host B
   ------			    ------
1) IKE_SA_INIT request -->	    <-- IKE_SA_INIT request
2) IKE_SA_INIT reply -->	    <-- IKE_SA_INIT reply
3) IKE_AUTH request -->		    (the IKE_AUTH of host B got lost)
4)				    Host B receives IKE_AUTH request,
 				    sends reply
5)				    <-- IKE_AUTH reply
6) Host A gets IKE_AUTH reply, finishes IKE SA
7)				    <-- IKE_AUTH request retransmission
8)  Host A gets IKE_AUTH request with INITIAL_CONCACT notification
9)  Host A replies to it
10) IKE_AUTH reply -->
11)				    Host B gets IKE_AUTH reply and
				    finishes 2nd IKE SA

Now the problem would be in the step 8, where the Host A has already
finished the IKE SA, and gets INITIAL_CONTACT notification from the
other end.

There are few ways to solve this, either it can check that as the IKE
SA it has was not ready at the point when this IKE SA negotiation
started, and detect that this is exchange collision. With this
exchange collision, it might simply continue normally and not to
delete the IKE SA it already has as this is exchange collision. After
this it has two IKE SAs and that is not a problem.

Other options the Host A could do is when it detects exchange
collision is to remove one of the IKE SAs, but in that case it needs
to send IKE SA delete to inform the other end that it has deleted it,
as this is not the case of leftover IKE SAs, but it is the case of
exchange collision. 

Other option is to simply not to delete "recently" created IKE SAs,
and simply assume all of those are collisions. What it could do for
those "recently" created IKE SA is to assume that they might be dead,
and it could start dead peer detection for them, or it can simply wait
for the normal dead peer detection to kick up when there is no traffic
from the other end.

The definition of recently could be something like last 30 seconds.

Note, that it should not be considered a problem to have multiple IKE
SAs between two peers. The INITIAL_CONTACT notification is not
supposed to be preventing that, it is supposed to clear out old unused
IKE SAs the other end might have. If both ends are configured to
automatically initiate connections immediately when the there is on
IKE SA (which can cause this setup), then it is best to configure SAs
so that they do not send INITIAL_CONTACT notifications. If the IKE SA
is kept alive all the time, then normal dead peer detection and other
methods will take care of the old SAs.

INITIAL_CONTACT was much more important in the IKEv1 world where there
was no reliable deletes, or other ways of knowing whether the other
end was alive or not. In IKEv2 there is less need for it, so leaving
it out does not cause that much problems. 
-- 
kivinen@iki.fi