Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
Tero Kivinen <kivinen@iki.fi> Tue, 06 May 2014 13:13 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 747101A0429 for <ipsec@ietfa.amsl.com>; Tue, 6 May 2014 06:13:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QxzKjLaZ7RM for <ipsec@ietfa.amsl.com>; Tue, 6 May 2014 06:13:47 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 34E871A030B for <ipsec@ietf.org>; Tue, 6 May 2014 06:13:47 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.7) with ESMTP id s46DDX7N003849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 May 2014 16:13:33 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.7/Submit) id s46DDXDA023985; Tue, 6 May 2014 16:13:33 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <21352.57341.564145.859848@fireball.kivinen.iki.fi>
Date: Tue, 06 May 2014 16:13:33 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: vijay kn <vijay.kn@huawei.com>
In-Reply-To: <AD5AD8B0B070044BAD3C37D7057F37E153FE65DB@szxeml513-mbx.china.huawei.com>
References: <AD5AD8B0B070044BAD3C37D7057F37E153FE638D@szxeml513-mbx.china.huawei.com> <E1DF8B79-5C70-43EF-AA52-1F13F1A77C7B@gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE64F9@szxeml513-mbx.china.huawei.com> <CF8D08A7.5371E%praveenys@juniper.net> <CAPfd2wMf4WymBeVWJ9=4vMVRW_-0kLytmXahyhBTuh+xUe_LdQ@mail.gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE65DB@szxeml513-mbx.china.huawei.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/MTYtNajASTokFkZFndBY-CWgRCw
Cc: "vijay@wichorus.com" <vijay@wichorus.com>, "kilian.weniger@googlemail.com" <kilian.weniger@googlemail.com>, "ipsec@ietf.org" <ipsec@ietf.org>, Ahmad Muhanna <asmuhanna@gmail.com>, Praveen Sathyanarayan <praveenys@juniper.net>, "vjkumar2003@gmail.com" <vjkumar2003@gmail.com>
Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 13:13:48 -0000
vijay kn writes: > Praveen/Ahmad,> Some vendors don’t support Reauth. In this case what > to do? There is no specific need for reauth on the protocol level. You create new IKE SA, you create new Child SAs, you delete old IKE SA. Everything is just standard IKEv2 and all implementations support that on the protocol level. For the SGW end everything looks like the client just reconnected. For the client end you need bit more code. I.e. when client notices that policy has changed so that REDIRECT support should be turned, then instead of sending your new INFORMATIONAL exchange, it will simply do the reauthentication. This is much easier to implement than what you suggested. Also as people have already pointed out, there is NO POINT of disabling feature on the implementations, especially if you can already now see that you might need it at some point. If it cause problems because of bugs, fix those bugs. If the client implemenation does not support REDIRECT, then upgrade it, and upgrade usually means that you need to start IKE SA again anyways... > I think we are slightly deviating from our original topic. I do not think there is problem here that requires solving. We already have REDIRECT. There are ways to use it. There is way to enable it by doing reauthentication. There is actually another way to do the same thing, i.e. using MOBIKE to dynamically move SAs from one IP-address to another, and of you support suitable methods of transfering SA information to another host you can use that to move all or some IKE and IPsec SAs from one host to another without causing any disruptions. On the other hand you need to send MOBIKE_SUPPORTED in IKE_AUTH, so you cannot enable that on the fly either... And one of the use cases in RFC4621 (MOBIKE Design document) is multihomed servers, i.e. the MOBIKE do allow both ends to move. The rendezvous is outside the scope of MOBIKE, so both ends cannot move at the same time without keeping at least some of the addresses intact. > Why to do reauth which is an expensive operation when you can just intimate > the SeGW that u support redirect via an INFO msg. If you do not want to do expensive operations, then enable the REDIRECT support from the beginning... -- kivinen@iki.fi
- [IPsec] Regarding IKEv2 REDIRECT problem (referen… vijay kn
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Yoav Nir
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Ahmad Muhanna
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… vijay kn
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… vijay kn
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Valery Smyslov
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Ahmad Muhanna
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Jouni
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Ahmad Muhanna
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Praveen Sathyanarayan
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Ahmad Muhanna
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Jouni
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Ahmad Muhanna
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… vijay kn
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Ahmad Muhanna
- Re: [IPsec] Regarding IKEv2 REDIRECT problem (ref… Tero Kivinen