[IPsec] Ticket-by-reference and protecting the exchange
<Pasi.Eronen@nokia.com> Tue, 18 November 2008 15:53 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B76303A6851; Tue, 18 Nov 2008 07:53:35 -0800 (PST)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28DA23A6851 for <ipsec@core3.amsl.com>; Tue, 18 Nov 2008 07:53:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.406
X-Spam-Level:
X-Spam-Status: No, score=-6.406 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcxwi3Uhj-GK for <ipsec@core3.amsl.com>; Tue, 18 Nov 2008 07:53:33 -0800 (PST)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id 689D53A6808 for <ipsec@ietf.org>; Tue, 18 Nov 2008 07:53:33 -0800 (PST)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx09.nokia.com (Switch-3.2.6/Switch-3.2.6) with ESMTP id mAIFqBo6000342 for <ipsec@ietf.org>; Tue, 18 Nov 2008 09:53:30 -0600
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 18 Nov 2008 17:53:28 +0200
Received: from vaebe104.NOE.Nokia.com ([10.160.244.59]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 18 Nov 2008 17:53:28 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Tue, 18 Nov 2008 17:53:27 +0200
Message-ID: <1696498986EFEC4D9153717DA325CB720251410F@vaebe104.NOE.Nokia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Ticket-by-reference and protecting the exchange
Thread-Index: AclJlcvQh/bLY3mxSneX3JjE8IsQuw==
From: Pasi.Eronen@nokia.com
To: ipsec@ietf.org
X-OriginalArrivalTime: 18 Nov 2008 15:53:28.0648 (UTC) FILETIME=[CC7D2C80:01C94995]
X-Nokia-AV: Clean
Subject: [IPsec] Ticket-by-reference and protecting the exchange
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Tough chairs! Here's the answer I was going to say at the microphone: The client does not (and cannot) know whether it's using "ticket-by-value" (where the ticket contains the gateway's state, in encrypted form) or "ticket-by-reference" (where the ticket contains only a pointer to state stored locally by the gateway), or even a combination (some state is in the ticket, some is stored locally). In *addition* to storing the ticket blob, the client has to store the keys from the old IKE_SA (and this is done even if ticket-by-reference is used -- since the client cannot know that). The client uses these keys to protect the resumption exchange. The gateway also needs these keys; it gets them from the ticket, or from its local storage (using the ticket as a pointer). If the gateway is using ticket-by-reference, and there's a cluster of multiple gateways, the cluster members need to communicate somehow (and obviously this communication needs to be secured somehow). This protocol is explicitly beyond the scope of the charter. (BTW, if the gateway uses ticket-by-reference, things work pretty much the same way as draft-xu-ike-sa-sync, except that the terminology is slightly different, and this document doesn't say anything about how multiple gateways communicate, possibly via some database server, called "stub bank" in draft-xu-...). Best regards, Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Ticket-by-reference and protecting the ex… Pasi.Eronen
- Re: [IPsec] Ticket-by-reference and protecting th… Ahmad Muhanna
- Re: [IPsec] Ticket-by-reference and protecting th… Pasi.Eronen
- Re: [IPsec] Ticket-by-reference and protecting th… Lakshminath Dondeti
- Re: [IPsec] Ticket-by-reference and protecting th… Ahmad Muhanna
- Re: [IPsec] Ticket-by-reference and protecting th… Lakshminath Dondeti
- Re: [IPsec] Ticket-by-reference and protecting th… Pasi.Eronen
- Re: [IPsec] Ticket-by-reference and protecting th… Pasi.Eronen
- Re: [IPsec] Ticket-by-reference and protecting th… Ahmad Muhanna
- Re: [IPsec] Ticket-by-reference and protecting th… Yoav Nir