Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
Yoav Nir <ynir@checkpoint.com> Wed, 14 August 2013 21:40 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62AEB11E8189 for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 14:40:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.528
X-Spam-Level:
X-Spam-Status: No, score=-10.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORds29Cn+7me for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 14:40:16 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1FC1921F9A34 for <ipsec@ietf.org>; Wed, 14 Aug 2013 14:40:11 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r7ELe825032420; Thu, 15 Aug 2013 00:40:08 +0300
X-CheckPoint: {520BF938-3-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Thu, 15 Aug 2013 00:40:07 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Valery Smyslov <svanru@gmail.com>
Thread-Topic: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
Thread-Index: AQHOmPGrxZY+CIrhHk+QOWo1456QUpmUvTiigABMSAA=
Date: Wed, 14 Aug 2013 21:40:07 +0000
Message-ID: <3534574F-9683-49C3-A583-5FEDC05F839B@checkpoint.com>
References: <20130812223310.2768.80108.idtracker@ietfa.amsl.com> <482E5FF2-2AD7-469B-9679-A5945E609A5F@checkpoint.com> <69110CB5C30743C4A03CCAB62F7D9843@buildpc> <587E0A87-381F-4950-A495-CC8F1706DE7E@checkpoint.com> <FE4D58425F5943FBBFA3AEF73D8951C5@buildpc>
In-Reply-To: <FE4D58425F5943FBBFA3AEF73D8951C5@buildpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.77]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11c70d9a6d65cb7677ca18b02951cdfc9cdbb5dfeb
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <C07CC5CEC0E96C49A5D68C252DD19797@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 21:40:24 -0000
Thinking it over, there is one significant advantage to what you're proposing. Suppose our exchanges are like this: 1. IKE_INITIAL exchange 2. IKE_AUTH exchange (for re-authentication) 3. IKE Informational (for moving the Child SAs) 4. IKE Informational (for deleting the old IKE SA) #3 can then be run over the old IKE SA. The notification will have the IKE SPIs of the new IKE SA. And this makes the crypto unnecessary - the Notification could be simple the IKE SPIs, and the only verification necessary is that the authenticated identity is the same. We could even unify #3 and #4 into a single Informational, but it should be the initiator of the new IKE SA that sends it. I think I like that suggestion. Yoav On Aug 14, 2013, at 5:07 PM, Valery Smyslov <svanru@gmail.com> wrote: >>> isn't it better to do Child SAs movement in a separate Informational Exchange, >>> rather than in IKE_AUTH? >>> >>> Pros: >>> 1. No race conditions >> >> You would then have three operations that you need to do: >> a. Re-authenticate - create a new IKE SA >> b. Move the IPsec SAs >> c. Delete the old IKE SA >> >> Each of (b) and (c) could be done by any peer, not necessarily the same one that did (a). If we get a DELETE before all the IPsec SAs >> were transferred, some SAs could be deleted, or worse - they could be deleted on only one peer. > > Well, similar race conditions are already existed in IKEv2 and are covered > in section 2.25. And I believe, if you properly describe all possible collisions and > due actions, those situations, when some SAs are transferred and some not etc. > will not happen. Note, that code to deal with collisions according with 2.25 > is already in IKEv2, you need only to update conditions to send TEMPORARY_FAILURE > notification. > >>> 2. No additional complication to already over-complicated IKE_AUTH >> >> It adds one more thing for the peers to do during IKE_AUTH, but it doesn't make a difference if the extra thing is within IKE_AUTH or >> immediately after. If the issue is the length of the packet, I believe we are already solving this. > > No, size is not an issue here. But complexity of processing logic for IKE_AUTH is an issue. > >>> 3. More generic solution, so can be used in other situations, >>> for example in case IKA SA is cloned (draft-mglt-ipsecme-keep-old-ike-sa). >> >> Interesting point. That draft does not, in fact, state what happens to the child SAs. Since the old SA is kept, I guess they remain, and when >> the old IKE SA does eventually get deleted, the child SAs are also deleted. Nor does it help to specify that they move: the new IKE SA >> might get deleted first. > > I remember the author was asked at the meeting what to do with child SAs, > and he answrered that ability to move them is the next step, that is not covered in the current > version of the draft (if I got it right). > > > Email secured by Check Point
- [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-0… Yoav Nir
- Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-ca… Valery Smyslov
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Valery Smyslov
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Yoav Nir
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Yoav Nir