Re: [IPsec] Simultaneous Child SA Creation tigger from both theside.
"Valery Smyslov" <svanru@gmail.com> Mon, 05 May 2014 06:35 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA561A0260 for <ipsec@ietfa.amsl.com>; Sun, 4 May 2014 23:35:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.889
X-Spam-Level:
X-Spam-Status: No, score=0.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_CHARSET_FARAWAY=2.45, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIf0I8X87BUr for <ipsec@ietfa.amsl.com>; Sun, 4 May 2014 23:35:26 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) by ietfa.amsl.com (Postfix) with ESMTP id 616211A0164 for <ipsec@ietf.org>; Sun, 4 May 2014 23:35:26 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id z11so5006540lbi.12 for <ipsec@ietf.org>; Sun, 04 May 2014 23:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=0ytMZzWCqkB+3ri3UoOGLDCVlB0iMJlyDiwICDnfwFc=; b=YUt9oYxKdG5c4vgnqT3rU0V2uplrJqA2R6rEdkDwXgqc1UatpiFCUQRRJWx/vWiy83 c6Z1OXtkfVz+e/H7A5AQVK10jTdPqqnZL+Vos+MhB5PS/a35RtN90MFjGrXNSk7kzcF/ zDzmqRTMeZB4+ZqZ0/nGIHysiwsWY2L8t5U6rNK1RHu5krKPcedhXg43pvswBNmQaYGR pqUsBA5Ugh7evc1T45NAUJMyVyvWZU7vG1EBiD2FNEvJKpGOcxGTidTOQFDOABP8fm5s a9BWkaI4WHeTfJ+Hlj5726cJWxnZO4aRaHFl47K5ps77CqcZjyf2oqObKAULlkntTXYr j6wA==
X-Received: by 10.112.142.68 with SMTP id ru4mr289912lbb.49.1399271722418; Sun, 04 May 2014 23:35:22 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id r9sm1019329lal.0.2014.05.04.23.35.20 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 04 May 2014 23:35:20 -0700 (PDT)
Message-ID: <E07EE2E4B18242A597363B77F04C7539@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Syed Ajim Hussain <syedah@huawei.com>, Yoav Nir <ynir.ietf@gmail.com>
References: <mailman.101.1398884441.30377.ipsec@ietf.org> <335B84BDA2818C428E63D9B0ADE6863545AF7228@szxeml561-mbx.china.huawei.com> <DE8FB8A9-23C6-4828-9129-2B70542F96ED@gmail.com> <335B84BDA2818C428E63D9B0ADE6863545AF7A1A@szxeml561-mbx.china.huawei.com>
Date: Mon, 05 May 2014 10:35:19 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="gb2312"; reply-type="original"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/1LPRSS9kpk1En2bp-J-nYL8LdgA
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Simultaneous Child SA Creation tigger from both theside.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 06:35:28 -0000
Hi Syed Ajim, > Hi Yoav > Thanks for your reply, This problem happened in real scenario, > problem is- both the Tunnel end points are different vendor, > They handle it differently. > > We can defined this behavior in RFC, > > Also we have some other scenarios, it will be better if we define > these extreme case behavior also in RFC, > to make inter-op smooth. I agree with Yoav that this situation is extremely rare in practice. Note, that RFC4301 deliberately allows to have multiple IPsec SAs established betwen the same peers with the same traffic selectors (for example for the purposes of QoS). So, you can't just delete "erroneous" SA because you have SA with the same traffic selector - the peer may create it for purpose. What about your use case - what's wrong if there are two SAs? Of course, it is some waste of resources, but if your implementation selects outgoing SA deterministically and both peers use the same SA, the other will eventually die by lifetime expiration (as no traffic will flow through it). Regards, Valery Smyslov. > With Regards > Syed Ajim > > -----Original Message----- > From: Yoav Nir [mailto:ynir.ietf@gmail.com] > Sent: 2014年5月4日 12:49 > To: Syed Ajim Hussain > Cc: ipsec@ietf.org > Subject: Re: [IPsec] Simultaneous Child SA Creation tigger from both the > side. > > Hi > > The reason that we don’t have any mention of simultaneous SA creation is > that this issue has not come up in practice. When two IPsec hosts don’t > have an SA for a particular flow (because said flow hasn’t had traffic in > a while), it’s highly unlikely that bidirectional traffic on this flow > will begin simultaneously, or at least before the 1-2 roundtrips it takes > to set up a child SA. > > On the other hand, when SA lifetimes are set and traffic is continuous, it’s very likely that two such implementations will begin a rekeying at the > same time. > > So what would happen? Both implementations get a CreateChildSA request > (or an IKE_AUTH request) after each has sent out its own request. I guess > we could specify it the same way as in section 2.8.1, but doing this would > be a problem because this is not specified and other implementations are > likely not to do it. > > Sorry I don’t have a better answer for you. > > Yoav > > On May 2, 2014, at 3:27 PM, Syed Ajim Hussain <syedah@huawei.com> wrote: > >> Hi All. >> >> Host A --------------Host B >> >> Assume Host-A & Host-B want to established IPSEC Tunnel, First they >> established one IKE SA and one IPSEC SA (Child SA). >> >> After that due to addition of a new IPSEC Policy(SPD), Both the sides >> triggered one more Child SA creation. >> >> This Child SA creation hit simultaneous Child SA Creation condition. >> Since both the side triggered for Child SA >> Creation for one Configured SPD (Traffic Flow). >> >> In RFC 5996 , there is no point mention about simultaneous exchange >> during Child SA create, it only mention Simultaneous >> Handling during Child SA Rekey. >> >> What should be the behavior in case of Simultaneous Child SA >> Creation, if implementation maintain one Child SA per one Traffic Flow >> (SPD). >> >> Does Simultaneous Child SA Rekeying - method also applicable in case >> of Child SA Creation (not Rekey). >> >> >> 2.8.1. Simultaneous Child SA Rekeying >> >> If the two ends have the same lifetime policies, it is possible that >> both will initiate a rekeying at the same time (which will result in >> redundant SAs). To reduce the probability of this happening, the >> timing of rekeying requests SHOULD be jittered (delayed by a random >> amount of time after the need for rekeying is noticed). >> >> >> >> >> Kaufman, et al. Standards Track [Page 36] >> >> RFC 5996 IKEv2bis September 2010 >> >> >> This form of rekeying may temporarily result in multiple similar SAs >> between the same pairs of nodes. When there are two SAs eligible to >> receive packets, a node MUST accept incoming packets through either >> SA. If redundant SAs are created though such a collision, the SA >> created with the lowest of the four nonces used in the two exchanges >> SHOULD be closed by the endpoint that created it. "Lowest" means an >> octet-by-octet comparison (instead of, for instance, comparing the >> nonces as large integers). In other words, start by comparing the >> first octet; if they're equal, move to the next octet, and so on. If >> you reach the end of one nonce, that nonce is the lower one. The >> node that initiated the surviving rekeyed SA should delete the >> replaced SA after the new one is established. >> >> The following is an explanation on the impact this has on >> implementations. Assume that hosts A and B have an existing Child SA >> pair with SPIs (SPIa1,SPIb1), and both start rekeying it at the same >> time: >> >> Host A Host B >> ------------------------------------------------------------------- >> send req1: N(REKEY_SA,SPIa1), >> SA(..,SPIa2,..),Ni1,.. --> >> <-- send req2: N(REKEY_SA,SPIb1), >> SA(..,SPIb2,..),Ni2 >> recv req2 <-- >> >> At this point, A knows there is a simultaneous rekeying happening. >> However, it cannot yet know which of the exchanges will have the >> lowest nonce, so it will just note the situation and respond as >> usual. >> >> send resp2: SA(..,SPIa3,..), >> Nr1,.. --> >> --> recv req1 >> >> Now B also knows that simultaneous rekeying is going on. It responds >> as usual. >> >> <-- send resp1: SA(..,SPIb3,..), >> Nr2,.. >> recv resp1 <-- >> --> recv resp2 >> >> At this point, there are three Child SA pairs between A and B (the >> old one and two new ones). A and B can now compare the nonces. >> Suppose that the lowest nonce was Nr1 in message resp2; in this case, >> B (the sender of req2) deletes the redundant new SA, and A (the node >> that initiated the surviving rekeyed SA), deletes the old one. >> >> >> >> Kaufman, et al. Standards Track [Page 37] >> >> RFC 5996 IKEv2bis September 2010 >> >> >> send req3: D(SPIa1) --> >> <-- send req4: D(SPIb2) >> --> recv req3 >> <-- send resp3: D(SPIb1) >> recv req4 <-- >> send resp4: D(SPIa3) --> >> >> The rekeying is now finished. >> >> However, there is a second possible sequence of events that can >> happen if some packets are lost in the network, resulting in >> retransmissions. The rekeying begins as usual, but A's first packet >> (req1) is lost. >> >> Host A Host B >> ------------------------------------------------------------------- >> send req1: N(REKEY_SA,SPIa1), >> SA(..,SPIa2,..), >> Ni1,.. --> (lost) >> <-- send req2: N(REKEY_SA,SPIb1), >> SA(..,SPIb2,..),Ni2 >> recv req2 <-- >> send resp2: SA(..,SPIa3,..), >> Nr1,.. --> >> --> recv resp2 >> <-- send req3: D(SPIb1) >> recv req3 <-- >> send resp3: D(SPIa1) --> >> --> recv resp3 >> >> From B's point of view, the rekeying is now completed, and since it >> has not yet received A's req1, it does not even know that there was >> simultaneous rekeying. However, A will continue retransmitting the >> message, and eventually it will reach B. >> >> resend req1 --> >> --> recv req1 >> >> To B, it looks like A is trying to rekey an SA that no longer exists; >> thus, B responds to the request with something non-fatal such as >> CHILD_SA_NOT_FOUND. >> >> <-- send resp1: N(CHILD_SA_NOT_FOUND) >> recv resp1 <-- >> >> When A receives this error, it already knows there was simultaneous >> rekeying, so it can ignore the error message >> >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Simultaneous Child SA Creation tigger fro… Syed Ajim Hussain
- Re: [IPsec] Simultaneous Child SA Creation tigger… Yoav Nir
- Re: [IPsec] Simultaneous Child SA Creation tigger… Syed Ajim Hussain
- Re: [IPsec] Simultaneous Child SA Creation tigger… Valery Smyslov
- Re: [IPsec] Simultaneous Child SA Creation tigger… Paul Wouters
- Re: [IPsec] Simultaneous Child SA Creation tigger… Nico Williams
- Re: [IPsec] Simultaneous Child SA Creation tigger… Nico Williams
- Re: [IPsec] Simultaneous Child SA Creation tigger… Yoav Nir
- Re: [IPsec] Simultaneous Child SA Creation tigger… Praveen Sathyanarayan
- Re: [IPsec] Simultaneous Child SA Creation tigger… Tero Kivinen