IETF Logo Mail Archive

Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt

Valery Smyslov <svanru@gmail.com> Thu, 09 July 2009 07:42 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01A533A6C68 for <ipsec@core3.amsl.com>; Thu, 9 Jul 2009 00:42:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Q+OvN+urEZC for <ipsec@core3.amsl.com>; Thu, 9 Jul 2009 00:42:47 -0700 (PDT)
Received: from mail-ew0-f226.google.com (mail-ew0-f226.google.com [209.85.219.226]) by core3.amsl.com (Postfix) with ESMTP id 6EB633A6831 for <ipsec@ietf.org>; Thu, 9 Jul 2009 00:42:47 -0700 (PDT)
Received: by ewy26 with SMTP id 26so2312579ewy.37 for <ipsec@ietf.org>; Thu, 09 Jul 2009 00:43:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=4IZ+s91Kvwq0Aog9JtKHLJkanYWoK7w/qeT2Id5LW9w=; b=Y0LJ8GkgZnVg87ZP69JgfsPpTMGW+pPUBm9ZOKRtQY6pvCd0f8iYxs5WW6CqJqcXEr yi5dmjJbM+cXjngB57SivGtmci98gVfIVn1HRPck2neDjZjOkDLD34QRwpPN+QEeUrLh 9ngf2vBRWHfhVGtDo4Szj5lR3J8imHAOFs7Fs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=DT3Lunbj2odRhWlK8+rgK7fcpo4u0CX5nP1lBpPGv+J+zavQX2njQqdrpXQ4aaUD0R Wt5Ix/JIE0jFH6WBeVsJqN5lRkmKS/5Slo8uIZhP+RuxoyQAEdfHKWPimvdZbAL3HULb COYaaMOOd7CA7q7Q899zGiLlLIxlkoBhOXCzw=
MIME-Version: 1.0
Received: by 10.216.39.85 with SMTP id c63mr130458web.103.1247125392083; Thu, 09 Jul 2009 00:43:12 -0700 (PDT)
In-Reply-To: <006FEB08D9C6444AB014105C9AEB133F433538CE42@il-ex01.ad.checkpoint.com>
References: <20090701091501.2DAE328C101@core3.amsl.com> <006FEB08D9C6444AB014105C9AEB133F433539DEC2@il-ex01.ad.checkpoint.com> <7ccecf670907030651uec406e4ha9fa9adc027f8335@mail.gmail.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594C4@il-ex01.ad.checkpoint.com> <7ccecf670907040336t51b15b1t790284952459069a@mail.gmail.com> <19027.41530.987118.492735@fireball.kivinen.iki.fi> <7ccecf670907072118l2cad6e24i6de6aadfc023604a@mail.gmail.com> <006FEB08D9C6444AB014105C9AEB133F433538CE42@il-ex01.ad.checkpoint.com>
Date: Thu, 09 Jul 2009 11:43:11 +0400
Message-ID: <3d7da440907090043w571fdb87g5a3a2e5211a62eb2@mail.gmail.com>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Tero Kivinen <kivinen@iki.fi>, Raj Singh <rsjenwar@gmail.com>
Subject: Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2009 07:42:49 -0000

Hi all,

I think, adding new payload or exchange type is a real overkill for
such a small extension.
IKE has well defined mechanism for advertising/negotiating new
extensions via VID or Notify.
Other extensions (like MOBIKE) use it, so why multiply entities unnecessarily?

Then, I'd rather leave a decision whether to proceed with childless or
full versions
of IKE_AUTH exchange completely at initiator's discretion. After all,
it is he/she, who
knows what happened - either user pressed "connect" button or there
was a real packet.
I think, responder should not have any policy on this - just capability.
How could, for example, he/she insist on childless IKE SA if initiator
has a real
packet to protect? In this case it will either lead to denial of communication
or initiator will probably create childless IKE SA following by CREATE_CHILD_SA,
increasing unnecessary load on responder. Prohibiting childless IKE SA
by responder
doesn't make much sense either - nothing prevents initiator from following
current behaviour - creating dummy IPsec SA and immediately deleting it.
All responder has in this case is again unnecessary load on herself/himself.

>From my point of view, childless mode is just a usefull protocol optimization,
and it is initiator, who must decide whether to use it. For this purpose
peers must exchange VID/Notify payloads during IKE_SA_INIT, claiming their
capabilities to proceed with childless IKE_AUTH. Then, if both
sides support it, initiator decides whether to use it. In this case responder
must be prepared to both versions of IKE_AUTH. If responder doesn't
support this extension, it naturally doesn't send corresponding VID/Notify.
At this point initiator must either proceed with current behaviour - dummy IPsec
proposal (if she/he really wants IKE SA) or terminate exchange if she/he
doesn't support current behaviour (in which case it is a misconfiguration).

Regards,
Valery Smyslov.


2009/7/8, Yoav Nir <ynir@checkpoint.com>:
> Hi Raj
>
> What Yaron suggested, was to create a new payload type, and mark that as
> critical.
>
> I don't like either Yaron's or Tero's suggestions, as both lead to a kind of
> "take it or leave it" behavior. The initiator proposes doing "childless",
> and if the responder does not agree, the IKE SA breaks.
>
> At least for the remote access case, where we want a stand-by IKE SA so that
> eventually we can have child SAs, this does not make sense. If the responder
> does not support childless, the initiator can still propose universal
> selectors, and the responder will narrow them down to a (possibly useless)
> valid SA.
>
> I think a better option is to have a notify/VID payload, with flags
> indicating whether a childless exchange is wanted, required or prohibited,
> and whether subsequent child SAs should be permitted.  This does still have
> a problem where the initiator requires that the IKE_AUTH be childless and
> the responder does not support the extension.
>
> Alternatively, we could adopt Yaron's suggestion, and make a new payload,
> with a critical bit turned on or off according to requirement level. I don't
> like having empty payloads, but I can't back up this dislike with any good
> argument.
>
> Maybe when we make version 2.1 of IKE, we can add a "critical type" bit to
> the notification payload.
> ________________________________
> From: Raj Singh [mailto:rsjenwar@gmail.com]
> Sent: Wednesday, July 08, 2009 7:18 AM
> To: Tero Kivinen
> Cc: Yaron Sheffer; ipsec@ietf.org; Yoav Nir
> Subject: Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
>
> Hi Tero,
>
> Thanks for your valuable inputs.
> Please find re inputs inline. <Raj>
> On Wed, Jul 8, 2009 at 1:00 AM, Tero Kivinen
> <kivinen@iki.fi<mailto:kivinen@iki.fi>> wrote:
> Raj Singh writes:
>> Your suggestion of having "critical" bit set on childless notify/VID
>> payload
>> from initiator in IKE_SA_INIT exchange will define the bahavior as
>> mentioned
>> below.
> That is not correct way of using critical bit. Critical bit means that
> if it is set and the PAYLOAD TYPE is not understood, then
> UNSUPPORTED_CRITICAL_PAYLOAD error is reported. Every implementation
> will understand Notify and Vendor ID payloads, thus they will never
> return UNSUPPORTED_CRITICAL_PAYLOAD regardless what the contents of
> those payloads are.
> <Raj>
> I  was under impression that we can have "critical" bit in childless
> IKE_AUTH notify/VID.
> Even Yaron also clarified in same thread that we need new exchange type to
> have "critical" bit on it.
>
>
>> If initiator want to childless IKE_AUTH, it will send  CHILDLESS_IKE_AUTH
>> notify/VID payload having "critical" flag SET in IKE_SA_INIT request.
> And complient implentation will do what to do as RFC4306 says ie:
>
>      ... MUST be ignored by the recipient if the recipient
>      understands the payload type code. MUST be set to zero for
>      payload types defined in this document. Note that the critical
>      bit applies to the current payload rather than the "next"
>      payload whose type code appears in the first octet. The
>      reasoning behind not setting the critical bit for payloads
>      defined in this document is that all implementations MUST
>      understand all payload types defined in this document and
>      therefore must ignore the Critical bit's value. Skipped payloads
>      are expected to have valid Next Payload and Payload Length
>      fields.
>
> The correct way to do is to make new exchange type for this new
> childless IKE_SA_INIT & IKE_AUTH. That way old implenentations will
> then know that they do not understand this new type and will drop the
> packets. This is if you really want the property that if responder
> does not understand chieldless IKE_AUTH you do not want to continue at
> all.
>
> I have not yet read the draft, as I have been too busy with working
> group drafts already, and I still do not know if this is really needed
> at all...
> <Raj>
> If we can't have "critical" bit inside associated data of childless
> notify/VID,  then
> new exchange type is a near possibility.
> Please have a look at the use cases in the draft for need of this draft.
>
> --
> kivinen@iki.fi<mailto:kivinen@iki.fi>
>
> With Regards,
> Raj
>

v2.31.3 | Report a Bug | By Email | System Status