[IPsec] ikev2bis issue #184: Interaction of rekeying of the IKE_SA and windows
Tero Kivinen <kivinen@iki.fi> Thu, 01 April 2010 12:47 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4BB743A6C79 for <ipsec@core3.amsl.com>; Thu, 1 Apr 2010 05:47:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.391
X-Spam-Level:
X-Spam-Status: No, score=-0.391 tagged_above=-999 required=5 tests=[AWL=-0.781, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsFbqv0z8Eip for <ipsec@core3.amsl.com>; Thu, 1 Apr 2010 05:47:09 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 0B1293A7010 for <ipsec@ietf.org>; Thu, 1 Apr 2010 05:32:51 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o31CXM77015780 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Apr 2010 15:33:22 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o31CXL17008686; Thu, 1 Apr 2010 15:33:21 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19380.37521.240008.160281@fireball.kivinen.iki.fi>
Date: Thu, 01 Apr 2010 15:33:21 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p0624080ac7d83fbd1243@[10.20.30.158]>
References: <p0624080ac7d83fbd1243@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 13 min
X-Total-Time: 14 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] ikev2bis issue #184: Interaction of rekeying of the IKE_SA and windows
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 12:47:10 -0000
Paul Hoffman writes: > s2.3: Should there be some discussion of the interaction of rekeying > of the IKE_SA and windows? We already have text about that in the section 2.8 and section 2.25 Exchange Collisions. > Presumably a rekey message should not be actioned until all previous > messages have been responded to. Depends about the message. I.e. if peer receives request to create or rekey Child SAs when it is rekeying IKE SA it should reply with TEMPORARY_FAILURE. If it receives requiest to delete child SA, it can go on normally. Note, that rekeying IKE SA does not mean that the old IKE SA is deleted immediately, it can still (and usually will stay) there for a moment, before it is deleted, and will be deleted as separate exchange. > Likewise receiving a Message ID with a sequence number bigger than > that in the rekey message should be very suspect! You mean getting first rekey request and then some other request on the same IKE SA? Yes, that is something that should not happen, but is not explicitly forbidden. It cannot really create or rekey IPsec SAs, as it does not know to which IKE SA those IPsec SAs belong to. Rekeying moves those IPsec SAs from old IKE SA to new IKE SA, and depending when other end processes the rekey message, this move might already happened or it might be still in progress. Deleting IPsec SAs is possible, but not advisable. Other messages like DPD should be processed as normally, and there is no problem there. > Should the INVALID_MESSAGE_ID notification be sent > in this case (and before or after the rekey?) No. The message ID is not invalid, as it is not outside the window, thus this error message cannot be sent. The responder can fail those request with various error messages, like TEMPORARY_FAILURE, CHILD_SA_NOT_FOUND, or NO_PROPOSAL_CHOSEN depending on the request and how the other end processes messages. > There might be some knock on into s2.8 where rekeying is discussed. > And maybe into s2.25? This is mostly covered by 2.25, altough I do not think we explictly say that initiator cannot send any new exchanges after it started IKE SA rekey. It is just assumed that it does not do that... The 2.25 mostly covers cases where the other end starts exchanges after one end has started IKE SA rekey, as this is something that the end starting IKE SA rekey cannot control. -- kivinen@iki.fi
- [IPsec] ikev2bis issue #184: Interaction of rekey… Paul Hoffman
- [IPsec] ikev2bis issue #184: Interaction of rekey… Tero Kivinen