IETF Logo Mail Archive

Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-00.txt

"Valery Smyslov" <svanru@gmail.com> Wed, 14 August 2013 09:52 UTC

Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102FF21E808E for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 02:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ-abfHicUCo for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 02:52:30 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 19A5D11E811E for <ipsec@ietf.org>; Wed, 14 Aug 2013 02:52:29 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id eo20so6640484lab.20 for <ipsec@ietf.org>; Wed, 14 Aug 2013 02:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=E1kTMWr2OnCp/aRpZ+sfEbsr95RcKciIGSslg2wnfMQ=; b=b9D2x8caA8YOtB8q0ISApU9GaGBm+TQX01n+SnC7SwbtE0vr7hu+Ua9qTxirWAKIns 0mO5Kxpu0zR1FBVLGy2fJqhzxslOg9f+P0sYwI7iA6fJHb0KaJQzghzIOmXZW4B9KvSC bqiQuNnOaNWbdwSNPtDtK/D9LRErx4muqarY9Wh0N3XX4ueT5sKxhHGblF8I5p3ZwSSq YdaMnfabm45pdp3DgtAe5o5VdfeTx/iR6s0QAXkAiFmFtBEkCRZWx1LlzEayLCxoeHYX 4Ftca0ZHg/KIJK9BOxWq3Vpm60J5Yi8JsYCUeyQbRDZv9HxG6qqLfFzRQ5aiKmMvVB+X 5alQ==
X-Received: by 10.152.8.51 with SMTP id o19mr588744laa.42.1376473948773; Wed, 14 Aug 2013 02:52:28 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id rd5sm15498154lbb.16.2013.08.14.02.52.27 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 14 Aug 2013 02:52:27 -0700 (PDT)
Message-ID: <69110CB5C30743C4A03CCAB62F7D9843@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>, ipsec@ietf.org
References: <20130812223310.2768.80108.idtracker@ietfa.amsl.com> <482E5FF2-2AD7-469B-9679-A5945E609A5F@checkpoint.com>
Date: Wed, 14 Aug 2013 13:52:29 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 09:52:31 -0000

Hi Yoav,

isn't it better to do Child SAs movement in a separate Informational 
Exchange,
rather than in IKE_AUTH?

Pros:
1. No race conditions
2. No additional complication to already over-complicated IKE_AUTH
3. More generic solution, so can be used in other situations,
    for example in case IKA SA is cloned 
(draft-mglt-ipsecme-keep-old-ike-sa).

Contras:
1. Extra round trip.

Regards,
Valery Smyslov.

> Hi all
>
> For a long time I've felt that re-authentication in IKEv2 has some harsh 
> side effects in both uninterrupted IPsec and in continuation of the 
> internal IP address assignment.
>
> This draft attempts  to solve these issues.
>
> Comments are welcome, and I will be glad if the WG agrees to discuss and 
> adopt this.
>
> Thanks
>
> Yoav
>
>> A New Internet-Draft is available from the on-line Internet-Drafts 
>> directories.
>>
>>
>> Title           : Adopting Child SAs Following Re-Authentication in IKEv2
>> Author(s)       : Yoav Nir
>> Filename        : draft-nir-ipsecme-cafr-00.txt
>> Pages           : 8
>> Date            : 2013-08-12
>>
>> Abstract:
>>   This document describes an extension to the IKEv2 protocol whereby
>>   Child SAs are moved to the new IKE SA following re-authentication.
>>   This allows for a smoother transition with no loss of connectivity.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-nir-ipsecme-cafr
>>
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-nir-ipsecme-cafr-00
>>
>>
>> Please note that it may take a couple of minutes from the time of 
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> Internet-Drafts are also available by anonymous FTP at:
>> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email