Re: [IPsec] IKEv2 initial contact handling?
Kanaga Kannappan <kanaga_k@yahoo.com> Wed, 10 April 2013 05:16 UTC
Return-Path: <kanaga_k@yahoo.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C06F21F918F for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 22:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.669
X-Spam-Level:
X-Spam-Status: No, score=-1.669 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q5tklREJHaah for <ipsec@ietfa.amsl.com>; Tue, 9 Apr 2013 22:16:06 -0700 (PDT)
Received: from nm18-vm0.bullet.mail.bf1.yahoo.com (nm18-vm0.bullet.mail.bf1.yahoo.com [98.139.213.138]) by ietfa.amsl.com (Postfix) with SMTP id 2031821F9184 for <ipsec@ietf.org>; Tue, 9 Apr 2013 22:16:06 -0700 (PDT)
Received: from [98.139.212.151] by nm18.bullet.mail.bf1.yahoo.com with NNFMP; 10 Apr 2013 05:16:05 -0000
Received: from [98.139.212.212] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 10 Apr 2013 05:16:05 -0000
Received: from [127.0.0.1] by omp1021.mail.bf1.yahoo.com with NNFMP; 10 Apr 2013 05:16:05 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 472180.51499.bm@omp1021.mail.bf1.yahoo.com
Received: (qmail 89159 invoked by uid 60001); 10 Apr 2013 05:16:05 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1365570965; bh=3UO2Cab1VP3Li1jXPvhNJbgh9A7ISdn/nWNhtLxgr0M=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=f7J5tCLUnE0RdmkDzR/HiBHgfC29HrBFRKx+Wu0GeYz+dV+DFTUzhEZAEXCKqr452NWZNUQn1HNpL8bE1rWYSjDlWkFGiTQhqBWmv+FZ8Yt4xJGDgFLorqCX7fwSfGRseM+JQ1hOcKFoaSx7UsWr4V5ZmMm3dP5Peo1LKpAMRC8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=CAbOD7Auq+N82NqikR8EBgtj4CGt8un60XxTYzyNjJyEl7eDj8Aoc+j00OKTbUoGOWSNFhDlgUM1cnq5V8SORK1ie6M1LPcWNAg4czi6vETL/qrKRLP0PYUzF83+M+t9QNXqdoI4kqZ1HJRDL/b9ChJ6TIa5jLdTT8y0XrAy/ao=;
X-YMail-OSG: wKiTg5QVM1mkDICZ1_nMCcjdkQLw74Dv4tYFwQXLkeOGgji ak55ZLs5lGbkjl6kcGLCSPsEuXneoe6oKyns9Mu7aaOnghJ2OivOHCS93GqL EWzxdcUR4kqRQfpQyjdUBV8SHeclNdf_9rBqbG1spM4l920wNmnfWEmMSkle LXg9hYFot1AsHz5vcVE05fKgvO1wKXvloVA4l4TXeOOtA7upSwiAVQaLQDXR ipg.7FKQGsQzVsXuoupHAFtx5XwsCxVoWOPEimZdLEqr6q2ELNjNJW_njGyQ kVyRgcG6OoJIqbmWt6BwdfU6CMZtmZ1G95BKgohU88nD065oKhLFypIJr1_8 58Iz2i5K3DhChKPJAUbPo5.Z8PvhEHEkSlrJhpRoR.JPmugmyNsgQqogmC0m CrkGyCShDGIdRBl47nbJsq2tdr371J9m7K1fMjb4RShk5waUlU5XaTfcIlnt WIdV7rvieH.kRE1GkBQl2RXjMtr1Rbwsiii0iFA3ac5B595ok_YHJtz6cOBP Iw3FamfNyowWxk0gFeg--
Received: from [116.197.178.83] by web141003.mail.bf1.yahoo.com via HTTP; Tue, 09 Apr 2013 22:16:05 PDT
X-Rocket-MIMEInfo: 002.001, SGkgUGF1bCwKClRoYW5rcyBmb3IgdGhlIHJlc3BvbnNlLgoKWWVzLCB3ZSBjYW4gcmV0YWluIHRoZSBJUHNlYyBTQXMgb24gcmVzcG9uZGVyIHRvIGF2b2lkIGJsYWNraG9saW5nLgoKQnV0IGluIElLRXYyLCBJS0UgJiBJUHNlYyBTQXMgYXJlIHRpZWQgdG9nZXRoZXIgYW5kLCBpbiB0aGlzIGNhc2Ugd2Ugd291bGQgaGF2ZSB0byBjcmVhdGUgYW4gZXhjZXB0aW9uLCB3aGVyZSBJUHNlYyBTQSB3b3VsZCBsaXZlIHdpdGhvdXQgYSBwYXJlbnQgSUtFIFNBLgoKLWthbmFnYS4KCgoKX19fX19fX19fX19fX19fX18BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.140.532
References: <1365526990.17344.YahooMailNeo@web141003.mail.bf1.yahoo.com> <alpine.LFD.2.10.1304091448550.3283@bofh.nohats.ca>
Message-ID: <1365570965.81158.YahooMailNeo@web141003.mail.bf1.yahoo.com>
Date: Tue, 09 Apr 2013 22:16:05 -0700
From: Kanaga Kannappan <kanaga_k@yahoo.com>
To: Paul Wouters <paul@cypherpunks.ca>
In-Reply-To: <alpine.LFD.2.10.1304091448550.3283@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-1028315969-546434975-1365570965=:81158"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] IKEv2 initial contact handling?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Kanaga Kannappan <kanaga_k@yahoo.com>
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2013 05:16:07 -0000
Hi Paul, Thanks for the response. Yes, we can retain the IPsec SAs on responder to avoid blackholing. But in IKEv2, IKE & IPsec SAs are tied together and, in this case we would have to create an exception, where IPsec SA would live without a parent IKE SA. -kanaga. ________________________________ From: Paul Wouters <paul@cypherpunks.ca> To: Kanaga Kannappan <kanaga_k@yahoo.com> Cc: "ipsec@ietf.org" <ipsec@ietf.org> Sent: Wednesday, April 10, 2013 12:30 AM Subject: Re: [IPsec] IKEv2 initial contact handling? On Tue, 9 Apr 2013, Kanaga Kannappan wrote: > How to handle "Initial Contact Notification" during simultaneous IKEv2 SA negotiation? > > For example: A pair of gateways are initiating IKEv2 negotiation almost at the same time resulting in 2 > sets of IKEv2 SAs. In IKE_AUTH, both the boxes are sending "Initial Contact" notification and IKE_AUTH > almost cross each other. On receiving the IC, if both try to delete the other IKE SAs on the box, we end > up having different sets of IKE & child SAs on the both sides. Initial contact is a bad feature all around. A responder should just leave the old IPsec SA there to expire when its lifetime is reached. Anything else causes issues. For example, with IKEv1 if you delete the IPsec SA when you receive the payload, and then send back an IKE packet to handle things like XAUTH authenticatin, there is a time when you have no valid IPsec SA installed during a rekey, and thus tunnel downtime. Especially if XAUTH requires a human punching in things from a token. The only reason we (libreswan) implemented sending the payload (for IKEv1) is that Cisco can refuse to replace an IPsec SA when it did not receive Initial Contact, despite this new IKE having perfectly authenticated without a problem. Libreswan fully ignores receiving an initial contact payload. When it determines the peer ids match an existing IKE SA, it will replace it, but again leave the IPsec SA to expire of old age, as we cannot be sure when the other end switches from the old to the new IPsec SA. This all seems a remnant from configurations where the IDs are not unique, commercially known as 'Group PSK' configurations, which were always a bad idea as any member could pretend to be gateway and learn all the remaining XAUTH credentials of all other users. You should leave in the old IPsec SA despite the initial contact payload. If your implementation allows you to keep track, you could delete the old IPsec SA once you see traffic on the new IPsec SA. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] IKEv2 initial contact handling? Kanaga Kannappan
- Re: [IPsec] IKEv2 initial contact handling? Paul Wouters
- Re: [IPsec] IKEv2 initial contact handling? Yoav Nir
- Re: [IPsec] IKEv2 initial contact handling? Kanaga Kannappan
- Re: [IPsec] IKEv2 initial contact handling? Tero Kivinen
- Re: [IPsec] IKEv2 initial contact handling? Paul Wouters
- Re: [IPsec] IKEv2 initial contact handling? Tero Kivinen
- Re: [IPsec] IKEv2 initial contact handling? Paul Wouters
- Re: [IPsec] IKEv2 initial contact handling? sandeep kampati