Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-00.txt
"Valery Smyslov" <svanru@gmail.com> Wed, 14 August 2013 09:52 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102FF21E808E for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 02:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ-abfHicUCo for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 02:52:30 -0700 (PDT)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 19A5D11E811E for <ipsec@ietf.org>; Wed, 14 Aug 2013 02:52:29 -0700 (PDT)
Received: by mail-la0-f47.google.com with SMTP id eo20so6640484lab.20 for <ipsec@ietf.org>; Wed, 14 Aug 2013 02:52:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=E1kTMWr2OnCp/aRpZ+sfEbsr95RcKciIGSslg2wnfMQ=; b=b9D2x8caA8YOtB8q0ISApU9GaGBm+TQX01n+SnC7SwbtE0vr7hu+Ua9qTxirWAKIns 0mO5Kxpu0zR1FBVLGy2fJqhzxslOg9f+P0sYwI7iA6fJHb0KaJQzghzIOmXZW4B9KvSC bqiQuNnOaNWbdwSNPtDtK/D9LRErx4muqarY9Wh0N3XX4ueT5sKxhHGblF8I5p3ZwSSq YdaMnfabm45pdp3DgtAe5o5VdfeTx/iR6s0QAXkAiFmFtBEkCRZWx1LlzEayLCxoeHYX 4Ftca0ZHg/KIJK9BOxWq3Vpm60J5Yi8JsYCUeyQbRDZv9HxG6qqLfFzRQ5aiKmMvVB+X 5alQ==
X-Received: by 10.152.8.51 with SMTP id o19mr588744laa.42.1376473948773; Wed, 14 Aug 2013 02:52:28 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id rd5sm15498154lbb.16.2013.08.14.02.52.27 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 14 Aug 2013 02:52:27 -0700 (PDT)
Message-ID: <69110CB5C30743C4A03CCAB62F7D9843@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>, ipsec@ietf.org
References: <20130812223310.2768.80108.idtracker@ietfa.amsl.com> <482E5FF2-2AD7-469B-9679-A5945E609A5F@checkpoint.com>
Date: Wed, 14 Aug 2013 13:52:29 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 09:52:31 -0000
Hi Yoav, isn't it better to do Child SAs movement in a separate Informational Exchange, rather than in IKE_AUTH? Pros: 1. No race conditions 2. No additional complication to already over-complicated IKE_AUTH 3. More generic solution, so can be used in other situations, for example in case IKA SA is cloned (draft-mglt-ipsecme-keep-old-ike-sa). Contras: 1. Extra round trip. Regards, Valery Smyslov. > Hi all > > For a long time I've felt that re-authentication in IKEv2 has some harsh > side effects in both uninterrupted IPsec and in continuation of the > internal IP address assignment. > > This draft attempts to solve these issues. > > Comments are welcome, and I will be glad if the WG agrees to discuss and > adopt this. > > Thanks > > Yoav > >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> >> >> Title : Adopting Child SAs Following Re-Authentication in IKEv2 >> Author(s) : Yoav Nir >> Filename : draft-nir-ipsecme-cafr-00.txt >> Pages : 8 >> Date : 2013-08-12 >> >> Abstract: >> This document describes an extension to the IKEv2 protocol whereby >> Child SAs are moved to the new IKE SA following re-authentication. >> This allows for a smoother transition with no loss of connectivity. >> >> >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-nir-ipsecme-cafr >> >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-nir-ipsecme-cafr-00 >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org. >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-0… Yoav Nir
- Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-ca… Valery Smyslov
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Valery Smyslov
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Yoav Nir
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Yoav Nir