Re: Racing QM Initiator's

[Vipul Gupta <Vipul.Gupta@Eng.Sun.Com>]

  But aren't these two messages going out with different message IDs
  generated randomly by each Phase II initiator? If so, why is there
  a problem ? This will result in two IPSec SAs where one would have
  been sufficient but I don't view that as catastrophic.
  
  What am I missing?
  
  vipul
  
> Date: Wed, 13 Oct 1999 15:17:07 -0400
> From: Ben McCann <bmccann@indusriver.com>
> 
> By dumb luck, I just had two SG's attempt a QM exchange with each
> other _at_the_same_time_. Each sent the first QM packet as initiator and
> each got that packet and tried to act as QM responder. Both got confused
> because they both switched from Initiator to Responder in mid-stream.
> 
> Here was my test configuration:
> 
> 	C1-----SG=======SG-----C2
> 
> Clients 1 and 2 (C1, C2) are both pinging each other. Policy on the
> SG's creates tunnel mode SA's for the ping traffic. The current Phase
> 2 SA for ping expires at the same time on both SG's. Then next ping
> send by each client triggers each SG to create a Phase 2 SA.
> 
> What is the interoperable way to solve this race? I trolled through
> the list archives but didn't see anything relevant. Possibilities are:
> 
> 1. Deal with it. Two QM exchanges occur where both SG's are temporarily
> both Phase 2 initiator and responder. (This could be tough because that
> state is part of the parent Phase 1 SA).
> 
> 2. Both SG's abort the QM exchange, backoff, and retry later.
> 
> 3. One SG aborts and becomes responder. How do you know which should
> abort? The SG with the lowest IP address?
> 
> I'm sure there are other options too. Any opinions are welcome...
> 
> Thanks,
> Ben McCann
> 
> -- 
> Ben McCann                              Indus River Networks
>                                         31 Nagog Park
>                                         Acton, MA, 01720
> email: bmccann@indusriver.com           web: www.indusriver.com 
> phone: (978) 266-8140                   fax: (978) 266-8111