Re: [IPsec] IPsec Digest, Vol 123, Issue 21
Les Leposo <leposo@gmail.com> Tue, 19 August 2014 16:11 UTC
Return-Path: <leposo@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4D471A0462 for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 09:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s4x__Ybe4HXr for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 09:11:08 -0700 (PDT)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9ACD31A04E9 for <ipsec@ietf.org>; Tue, 19 Aug 2014 09:11:06 -0700 (PDT)
Received: by mail-wg0-f48.google.com with SMTP id x13so6670232wgg.7 for <ipsec@ietf.org>; Tue, 19 Aug 2014 09:11:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=cClI/EbXsN7eGS6uQWgPXNCw53koesq2kJY1t3ztYQs=; b=WI+CgOKq2bR1205vfUHGgNw4Pzi8L06XuMN5h5koiKdW4RjKT4ZQYKNRLqnBlFXsJs jzqfxVOSMLJCI4YLE2F8qTnB+DXAt/sWfzCDqS8LuMa4GLMaqXPaHcr61hO/ba4EpznO VFnwEtwdRgyAyHQLKZaj6taR0B6NwxEukuR1Qi0sJ2jp5i5ENfwbiciSxcFYKeh/Li70 /Pfcy2YZLS4F6EjEo0IPplnzKcvMggLDVRhiV21dlPJh97g76EicXAi95Ii8/4yHy2mG nK+5fykk4CKmXgoq2oAhF58mEnpaBkIR3mABaMd4Sj7QWKeOv6SvSZQJ5MbWlJC467Uu 6jAw==
X-Received: by 10.180.103.74 with SMTP id fu10mr7867389wib.47.1408464665317; Tue, 19 Aug 2014 09:11:05 -0700 (PDT)
Received: from [192.168.0.17] ([197.237.48.207]) by mx.google.com with ESMTPSA id o9sm26302363wjo.11.2014.08.19.09.11.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 09:11:04 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_28B2A972-CCAF-48A3-A395-0F28367758D4"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Les Leposo <leposo@gmail.com>
In-Reply-To: <A878C09C-750C-4284-BDF5-31FFBFAB031B@gmail.com>
Date: Tue, 19 Aug 2014 19:10:58 +0300
Message-Id: <EB79ED19-846A-4925-96B8-97DCF2D66B8B@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi> <9852A873-1EEA-45EC-AEA3-BA654249A662@gmail.com> <E3D6D40E-FDFD-443E-BC11-81CF34A5F319@gmail.com> <DE3BA6C9-FE85-4587-AB96-36349F9B1F7C@gmail.com> <A878C09C-750C-4284-BDF5-31FFBFAB031B@gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/6Qx3FmkT6O-Tc-CiTVhe8N5njZQ
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 16:11:09 -0000
On Aug 19, 2014, at 6:11 PM, Yoav Nir <ynir.ietf@gmail.com> wrote: > > On Aug 19, 2014, at 5:48 PM, Les Leposo <leposo@gmail.com> wrote: > >>>> >>>> Now, today's client devices need to be energy efficient - so the device sleeps/hibernates to save battery. >>>> Sleeping past the nat keepalives is bound to happen (either by design or error). >>>> At some point the device will wake from sleep and need to test reachability using dpd. >>>> >>>> And in some cases (if the sleep was more than a certain threshold), rather than wait for dpd to failover, the choice is to go for rekey. >>> >>> It depends which standards you’ve implemented. If you’ve implemented QCD (RFC 6290), then DPD fails or succeeds immediately as long as you have connectivity, >> RFC 6290 is ikev2 2011, Pauls complaint is regarding ikev1/ikev2... not sure. If ikev1, then we're beating a dead horse. >> But if ikev2, then my point still stands that the appropriate use of 'MUST’. > > I think that a remote access gateway that services battery-sensitive devices should allow a lot of time before initiating its own DPD. Unfortunately, there is no way for a gateway to communicate to the client “if you’ve been silent for X seconds, you can assume that I’ve started a DPD and probably killed your IKE SA”. > >>> and it doesn’t make sense to go directly to a new Initial exchange. >>> >> >> What if the IKE SA was nearing expiry, and/or the server initiated a rekey while you were asleep. > > Under IKEv2 rules, the rekey failed and the old IKE SA is gone. It’s OK that it happened, It’s only a matter of detecting this efficiently. yup > >>> AFAIK racoon doesn’t have that. Maybe it has session tickets, which make the Initial exchange lighter. >>> >>> Of course, wiping all state every time you blank the screen is (if true) a very weird implementation choice. >> Do you mean screen lock? > > If that’s what it is called on an iPhone (I don’t have one). I mean whatever makes the screen go blank so that you need to press a button and swipe the screen in some direction, optionally including a code. > Not the official term. It is a screen lock because the user was logged out and you would have to log back in. I haven't used ios vpn in almost 2 years. I believe that can be tweaked either by a setting on the Gateway policies or on ios provisioning profile. But it sounds like a system level security policy/decision. Not necessarily directly related to the ike daemon (perhaps another part of the system). I hate to keep theorising on Paul's issue, but it might be that the Screen lock/unlock is indirectly triggering a signal/crash on the ike daemon. > Yoav > >
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo