IETF Logo Mail Archive

Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt

Yoav Nir <ynir@checkpoint.com> Wed, 14 August 2013 21:40 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62AEB11E8189 for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 14:40:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.528
X-Spam-Level:
X-Spam-Status: No, score=-10.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORds29Cn+7me for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 14:40:16 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC1921F9A34 for <ipsec@ietf.org>; Wed, 14 Aug 2013 14:40:11 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r7ELe825032420; Thu, 15 Aug 2013 00:40:08 +0300
X-CheckPoint: {520BF938-3-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Thu, 15 Aug 2013 00:40:07 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Valery Smyslov <svanru@gmail.com>
Thread-Topic: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
Thread-Index: AQHOmPGrxZY+CIrhHk+QOWo1456QUpmUvTiigABMSAA=
Date: Wed, 14 Aug 2013 21:40:07 +0000
Message-ID: <3534574F-9683-49C3-A583-5FEDC05F839B@checkpoint.com>
References: <20130812223310.2768.80108.idtracker@ietfa.amsl.com> <482E5FF2-2AD7-469B-9679-A5945E609A5F@checkpoint.com> <69110CB5C30743C4A03CCAB62F7D9843@buildpc> <587E0A87-381F-4950-A495-CC8F1706DE7E@checkpoint.com> <FE4D58425F5943FBBFA3AEF73D8951C5@buildpc>
In-Reply-To: <FE4D58425F5943FBBFA3AEF73D8951C5@buildpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.77]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11c70d9a6d65cb7677ca18b02951cdfc9cdbb5dfeb
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <C07CC5CEC0E96C49A5D68C252DD19797@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 21:40:24 -0000

Thinking it over, there is one significant advantage to what you're proposing. Suppose our exchanges are like this:

 1. IKE_INITIAL exchange
 2. IKE_AUTH exchange (for re-authentication)
 3. IKE Informational (for moving the Child SAs)
 4. IKE Informational (for deleting the old IKE SA)

#3 can then be run over the old IKE SA. The notification will have the IKE SPIs of the new IKE SA. And this makes the crypto unnecessary - the Notification could be simple the IKE SPIs, and the only verification necessary is that the authenticated identity is the same. We could even unify #3 and #4 into a single Informational, but it should be the initiator of the new IKE SA that sends it.

I think I like that suggestion.

Yoav
 
On Aug 14, 2013, at 5:07 PM, Valery Smyslov <svanru@gmail.com> wrote:

>>> isn't it better to do Child SAs movement in a separate Informational Exchange,
>>> rather than in IKE_AUTH?
>>> 
>>> Pros:
>>> 1. No race conditions
>> 
>> You would then have three operations that you need to do:
>> a. Re-authenticate - create a new IKE SA
>> b. Move the IPsec SAs
>> c. Delete the old IKE SA
>> 
>> Each of (b) and (c) could be done by any peer, not necessarily the same one that did (a). If we get a DELETE before all the IPsec SAs
>> were transferred, some SAs could be deleted, or worse - they could be deleted on only one peer.
> 
> Well, similar race conditions are already existed in IKEv2 and are covered
> in section 2.25. And I believe, if you properly describe all possible collisions and
> due actions, those situations, when some SAs are transferred and some not etc.
> will not happen. Note, that code to deal with collisions according with 2.25
> is already in IKEv2, you need only to update conditions to send TEMPORARY_FAILURE
> notification.
> 
>>> 2. No additional complication to already over-complicated IKE_AUTH
>> 
>> It adds one more thing for the peers to do during IKE_AUTH, but it doesn't make a difference if the extra thing is within IKE_AUTH or
>> immediately after. If the issue is the length of the packet, I believe we are already solving this.
> 
> No, size is not an issue here. But complexity of processing logic for IKE_AUTH is an issue.
> 
>>> 3. More generic solution, so can be used in other situations,
>>>  for example in case IKA SA is cloned (draft-mglt-ipsecme-keep-old-ike-sa).
>> 
>> Interesting point. That draft does not, in fact, state what happens to the child SAs. Since the old SA is kept, I guess they remain, and when
>> the old IKE SA does eventually get deleted, the child SAs are also deleted. Nor does it help to specify that they move: the new IKE SA
>> might get deleted first.
> 
> I remember the author was asked at the meeting what to do with child SAs,
> and he answrered that ability to move them is the next step, that is not covered in the current
> version of the draft (if I got it right).
> 
> 
> Email secured by Check Point

v2.23.0 | Report a Bug | By Email