Re: Racing QM Initiator's
"Valery Smyslov" <svan@trustworks.com> Fri, 15 October 1999 08:34 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id BAA20262; Fri, 15 Oct 1999 01:34:19 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id DAA02706 Fri, 15 Oct 1999 03:02:53 -0400 (EDT)
Message-Id: <199910150705.LAA04277@relay1.trustworks.com>
From: Valery Smyslov <svan@trustworks.com>
Organization: TWS
To: "Scott G. Kelly" <skelly@redcreek.com>, Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 15 Oct 1999 11:04:35 +0400
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Subject: Re: Racing QM Initiator's
CC: Sankar Ramamoorthi <Sankar@vpnet.com>, Jan Vilhuber <vilhuber@cisco.com>, Ben McCann <bmccann@indusriver.com>, ipsec@lists.tislabs.com
In-reply-to: <3805FC73.510A44F9@redcreek.com>
X-mailer: Pegasus Mail for Win32 (v3.12a)
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On 14 Oct 99, at 8:53, Scott G. Kelly wrote: > Valery Smyslov wrote: > > <trimmed...> > > > > Dan, it's OK with simultaneous phase 2 negotiations. But what about > > simultaneous phase 1 negotiations? Is there any reason (besides > > implementation simplicity) not to drop one of negotiation (of course, > > with some clear rule to decide which one, for examble, based on IP > > addresses comparison)? > > How about the case in which one of the phase 1 SAs requires ID PFS while > the other one does not? The following diagram clarifies: > > +---+ | | +---+ > | A |--| +---+ +---+ |--| B | > +---+ |--| x |==internet==| y |--| +---+ > | +---+ +---+ | > +---+ | | +---+ > | C |--| |--| D | > +---+ | | +---+ > > Assume that x and y are security gateways which provide ipsec services > to their respective local networks. Suppose that A wants to talk to D, > and this SA requires ID PFS. Suppose that around the same time, B wants > to talk to C, and this SA does not require PFS. When a packet A=>D > arrives at x, x begins negotiating with y. Suppose a packet B=>C arrives > at y prior to the arrival of x's first IKE packet, at which time y > initiates IKE with x, and the two IKE packets are simultaneously in > transit. > > This is a case in which it would be incorrect to drop one of the > negotiations. Good point. But robust implementations must be able to deal with situation, when one peer thinks he can use existing ISAKMP SA while the other don't think so, anyway. I think they must be able to recover after dropping one negotiation (in fact, in your scenario, dropped negotiation will just be deferred). Of course, if both peers need ID PFS, there is no reason to drop. >From my opinion, ID PFS is relatively rare thing to justify an extra resource wasting (DH) in case of simultaneous phase 1 negotiations. > Scott Regards, Valera.
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Ben McCann
- Re: Racing QM Initiator's Will Price
- Racing QM Initiator's Ben McCann
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Dan Harkins
- Re: Racing QM Initiator's Scott G. Kelly
- Re: Racing QM Initiator's Kanta Matsuura
- RE: Racing QM Initiator's Sankar Ramamoorthi
- Re: Racing QM Initiator's Dan Harkins
- Re: Racing QM Initiator's Valery Smyslov
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Jan Vilhuber
- Re: Racing QM Initiator's Jan Vilhuber
- Re: Racing QM Initiator's Shawn Mamros
- Re: Racing QM Initiator's Vipul Gupta
- Re: Racing QM Initiator's Scott G. Kelly
- Re: Racing QM Initiator's Scott G. Kelly
- RE: Racing QM Initiator's Sankar Ramamoorthi
- RE: Racing QM Initiator's Andrew Krywaniuk
- Re: Racing QM Initiator's Valery Smyslov
- Re: Racing QM Initiator's Valery Smyslov
- Re: Racing QM Initiator's Markku Savela
- Re: Racing QM Initiator's Scott G. Kelly
- Re: Racing QM Initiator's Paul Koning