Re: [IPsec] IKEv2 initial contact handling?
Paul Wouters <paul@cypherpunks.ca> Thu, 11 April 2013 13:48 UTC
Return-Path: <paul@cypherpunks.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF88721F8ADC for <ipsec@ietfa.amsl.com>; Thu, 11 Apr 2013 06:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vmlP8M-CkalV for <ipsec@ietfa.amsl.com>; Thu, 11 Apr 2013 06:48:38 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1F28021F8B13 for <ipsec@ietf.org>; Thu, 11 Apr 2013 06:48:38 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3Zmk8v4nw6z79M; Thu, 11 Apr 2013 09:48:31 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FkKmuw9meLpa; Thu, 11 Apr 2013 09:48:30 -0400 (EDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by mx.nohats.ca (Postfix) with ESMTP; Thu, 11 Apr 2013 09:48:30 -0400 (EDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id 3B46080BD7; Thu, 11 Apr 2013 09:48:31 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 2F1EE80862; Thu, 11 Apr 2013 09:48:31 -0400 (EDT)
Date: Thu, 11 Apr 2013 09:48:31 -0400
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <20838.46739.562430.596310@fireball.kivinen.iki.fi>
Message-ID: <alpine.LFD.2.10.1304110940560.16994@bofh.nohats.ca>
References: <1365526990.17344.YahooMailNeo@web141003.mail.bf1.yahoo.com> <alpine.LFD.2.10.1304091448550.3283@bofh.nohats.ca> <1365570965.81158.YahooMailNeo@web141003.mail.bf1.yahoo.com> <20838.46739.562430.596310@fireball.kivinen.iki.fi>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Kanaga Kannappan <kanaga_k@yahoo.com>
Subject: Re: [IPsec] IKEv2 initial contact handling?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2013 13:48:38 -0000
On Thu, 11 Apr 2013, Tero Kivinen wrote: > First of all INITIAL_CONTACT is never sent rekeying so that is not a > problem. It is only sent when the end does not have any IKE or IPsec > SAs with the other end. But this can happen in various scenarios where your IKE's lifetime passed but not the IPsec SA lifetime. Then you might have one or more IPsec SA' open to the other end but without the corresponding IKE SA you might not realise these SA's are to the same peer. > Note, that it should not be considered a problem to have multiple IKE > SAs between two peers. The INITIAL_CONTACT notification is not > supposed to be preventing that, it is supposed to clear out old unused > IKE SAs the other end might have. You mean unused IPsec SA's right? Because clearing out old IKE SA's is easy - if the IDs match and you establish the IKE SA, loop through all existing IKE SA's and if the credentials/IDs match (and this is not some group PSK kind of setup) then delete the old IKE SA. Openswan/libreswan never used initial contact to determine that. > INITIAL_CONTACT was much more important in the IKEv1 world where there > was no reliable deletes, or other ways of knowing whether the other > end was alive or not. In IKEv2 there is less need for it, so leaving > it out does not cause that much problems. I really only see the need for initial contact to interop with Cisco, who can refuse to replace an existing IKE SA without the latest incoming IKE request carrying the INITIAL_CONTACT payload - at least for IKEv1. Paul
- [IPsec] IKEv2 initial contact handling? Kanaga Kannappan
- Re: [IPsec] IKEv2 initial contact handling? Paul Wouters
- Re: [IPsec] IKEv2 initial contact handling? Yoav Nir
- Re: [IPsec] IKEv2 initial contact handling? Kanaga Kannappan
- Re: [IPsec] IKEv2 initial contact handling? Tero Kivinen
- Re: [IPsec] IKEv2 initial contact handling? Paul Wouters
- Re: [IPsec] IKEv2 initial contact handling? Tero Kivinen
- Re: [IPsec] IKEv2 initial contact handling? Paul Wouters
- Re: [IPsec] IKEv2 initial contact handling? sandeep kampati