IETF Logo Mail Archive

Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)

Tero Kivinen <kivinen@iki.fi> Tue, 06 May 2014 13:13 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 747101A0429 for <ipsec@ietfa.amsl.com>; Tue, 6 May 2014 06:13:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QxzKjLaZ7RM for <ipsec@ietfa.amsl.com>; Tue, 6 May 2014 06:13:47 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 34E871A030B for <ipsec@ietf.org>; Tue, 6 May 2014 06:13:47 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.7) with ESMTP id s46DDX7N003849 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 May 2014 16:13:33 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.7/Submit) id s46DDXDA023985; Tue, 6 May 2014 16:13:33 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID: <21352.57341.564145.859848@fireball.kivinen.iki.fi>
Date: Tue, 06 May 2014 16:13:33 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: vijay kn <vijay.kn@huawei.com>
In-Reply-To: <AD5AD8B0B070044BAD3C37D7057F37E153FE65DB@szxeml513-mbx.china.huawei.com>
References: <AD5AD8B0B070044BAD3C37D7057F37E153FE638D@szxeml513-mbx.china.huawei.com> <E1DF8B79-5C70-43EF-AA52-1F13F1A77C7B@gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE64F9@szxeml513-mbx.china.huawei.com> <CF8D08A7.5371E%praveenys@juniper.net> <CAPfd2wMf4WymBeVWJ9=4vMVRW_-0kLytmXahyhBTuh+xUe_LdQ@mail.gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE65DB@szxeml513-mbx.china.huawei.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 13 min
X-Total-Time: 12 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/MTYtNajASTokFkZFndBY-CWgRCw
Cc: "vijay@wichorus.com" <vijay@wichorus.com>, "kilian.weniger@googlemail.com" <kilian.weniger@googlemail.com>, "ipsec@ietf.org" <ipsec@ietf.org>, Ahmad Muhanna <asmuhanna@gmail.com>, Praveen Sathyanarayan <praveenys@juniper.net>, "vjkumar2003@gmail.com" <vjkumar2003@gmail.com>
Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 13:13:48 -0000

vijay kn writes:
> Praveen/Ahmad,> Some vendors don’t support Reauth. In this case what
> to do? 

There is no specific need for reauth on the protocol level. You create
new IKE SA, you create new Child SAs, you delete old IKE SA.
Everything is just standard IKEv2 and all implementations support
that on the protocol level. For the SGW end everything looks like the
client just reconnected.

For the client end you need bit more code. I.e. when client notices
that policy has changed so that REDIRECT support should be turned,
then instead of sending your new INFORMATIONAL exchange, it will
simply do the reauthentication.

This is much easier to implement than what you suggested. Also as
people have already pointed out, there is NO POINT of disabling
feature on the implementations, especially if you can already now see
that you might need it at some point. If it cause problems because of
bugs, fix those bugs. If the client implemenation does not support
REDIRECT, then upgrade it, and upgrade usually means that you need to
start IKE SA again anyways...

> I think we are slightly deviating from our original topic.

I do not think there is problem here that requires solving. We already
have REDIRECT. There are ways to use it. There is way to enable it by
doing reauthentication. There is actually another way to do the same
thing, i.e. using MOBIKE to dynamically move SAs from one IP-address
to another, and of you support suitable methods of transfering SA
information to another host you can use that to move all or some IKE
and IPsec SAs from one host to another without causing any
disruptions. On the other hand you need to send MOBIKE_SUPPORTED in
IKE_AUTH, so you cannot enable that on the fly either... And one of
the use cases in RFC4621 (MOBIKE Design document) is multihomed
servers, i.e. the MOBIKE do allow both ends to move. The rendezvous
is outside the scope of MOBIKE, so both ends cannot move at the same
time without keeping at least some of the addresses intact.

> Why to do reauth which is an expensive operation when you can just intimate
> the SeGW that u support redirect via an INFO msg.

If you do not want to do expensive operations, then enable the
REDIRECT support from the beginning... 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email