Re: [IPsec] Simultaneous Child SA Creation tigger from both the side.

Paul Wouters <paul@nohats.ca> Mon, 05 May 2014 13:09 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A99D11A02A3 for <ipsec@ietfa.amsl.com>; Mon, 5 May 2014 06:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vmvu4tpZF6ea for <ipsec@ietfa.amsl.com>; Mon, 5 May 2014 06:09:17 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id D30EF1A008A for <ipsec@ietf.org>; Mon, 5 May 2014 06:09:16 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 36444804DA; Mon, 5 May 2014 09:09:12 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1399295352; bh=eQtGb3RjUXKi2gJW2iG+XP+mhH1D1EMjPjdV0qV2HtA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=bueg6wJ1QNWY++atlc3Zcagz9RoSVlR6vt2gaHxJnHdSqF6FKPysAngEujh/9tb3f 6++yaqpFGgQQqhbhaD5acMQoZt4bSj1jJr+ZqUBcEs5ve0DqRNSXZi5f/SVoGqgNKk Hxw97iAWO+jxUhJkLck07oCCbW72Ar0EYBClClUw=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s45D998N008255; Mon, 5 May 2014 09:09:11 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 05 May 2014 09:09:09 -0400
From: Paul Wouters <paul@nohats.ca>
To: Syed Ajim Hussain <syedah@huawei.com>
In-Reply-To: <335B84BDA2818C428E63D9B0ADE6863545AF7A1A@szxeml561-mbx.china.huawei.com>
Message-ID: <alpine.LFD.2.10.1405050905330.7632@bofh.nohats.ca>
References: <mailman.101.1398884441.30377.ipsec@ietf.org> <335B84BDA2818C428E63D9B0ADE6863545AF7228@szxeml561-mbx.china.huawei.com> <DE8FB8A9-23C6-4828-9129-2B70542F96ED@gmail.com> <335B84BDA2818C428E63D9B0ADE6863545AF7A1A@szxeml561-mbx.china.huawei.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/1Wn0XvRRhrFSZ9KBeGoRH9091fA
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>
Subject: Re: [IPsec] Simultaneous Child SA Creation tigger from both the side.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 13:09:24 -0000

On Mon, 5 May 2014, Syed Ajim Hussain wrote:

>       Thanks for your reply, This problem happened in real scenario,  problem is-  both the Tunnel end points are different vendor,
>       They handle it differently.
>
>       We can defined this behavior in RFC,
>
>       Also we have some other scenarios, it will be better if we define these extreme case behavior also in RFC,
>       to make inter-op smooth.

In libreswan (openswan) the daemon processes one packet at a time, so by
definition one of the child SA's finishes before the other, no matter
how close the timing is. It also has a feature "uniqueids" that would
(dis)allow identical Child SA's, so the latter one establishing replaces
the previous one established.

I'm not convinced your issue is a protocol issue. It seems more like an
implementation issue? If any of your endpoints involved
libreswan/openswan, feel free to contact me.

Paul