Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
Yaron Sheffer <yaronf@checkpoint.com> Fri, 03 July 2009 18:45 UTC
Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 643323A6E8A for <ipsec@core3.amsl.com>; Fri, 3 Jul 2009 11:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VplH1s1venTU for <ipsec@core3.amsl.com>; Fri, 3 Jul 2009 11:45:55 -0700 (PDT)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 343563A6A71 for <ipsec@ietf.org>; Fri, 3 Jul 2009 11:45:54 -0700 (PDT)
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 3148829C004; Fri, 3 Jul 2009 21:46:18 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id D154C29C002; Fri, 3 Jul 2009 21:46:17 +0300 (IDT)
X-CheckPoint: {4A4E4ED3-0-14201DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n63Ik53d017071; Fri, 3 Jul 2009 21:46:05 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([194.29.32.26]) by il-ex01.ad.checkpoint.com ([194.29.32.26]) with mapi; Fri, 3 Jul 2009 21:46:05 +0300
From: Yaron Sheffer <yaronf@checkpoint.com>
To: Raj Singh <rsjenwar@gmail.com>, Yoav Nir <ynir@checkpoint.com>
Date: Fri, 03 Jul 2009 21:46:01 +0300
Thread-Topic: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
Thread-Index: Acn75VZ+uIMypQcXS8CB0oefM1Q5VwAKD9RA
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594C4@il-ex01.ad.checkpoint.com>
References: <20090701091501.2DAE328C101@core3.amsl.com> <006FEB08D9C6444AB014105C9AEB133F433539DEC2@il-ex01.ad.checkpoint.com> <7ccecf670907030651uec406e4ha9fa9adc027f8335@mail.gmail.com>
In-Reply-To: <7ccecf670907030651uec406e4ha9fa9adc027f8335@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_015E_01C9FC27.A86EFD60"
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2009 18:45:56 -0000
Hi Raj,
It sounds like you want a critical payload (RFC 4306, Sec. 2.5), probably a
payload with no data. In fact the draft could specify both options, the
current VID and such a payload, and leave it to the Initiator to decide
which behavior it prefers. Different scenarios might call for different
behaviors.
Thanks,
Yaron
_____
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of
Raj Singh
Sent: Friday, July 03, 2009 16:51
To: Yoav Nir
Cc: ipsec@ietf.org
Subject: Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
Hi Yoav,
Mostly the Initiator will decide that it wants to bring UP only IKE SA
without child SA.
But currently there is no notify/VID from Initiator to Responder to indicate
that initiator wants to bring only IKE SA. Even if responder does not
supports "childless IKE_AUTH", it will process IKE_SA_INIT, involding CPU
intensive D-H calculations, and send IKE_SA_INIT response without "childless
VID" payload.
By introducing a notify/VID payload from Initiator that it wants to bring UP
only IKE SA without child SA wil ease the processing ar Responder side. If
responder does not support "childless IKE_AUTH", it can send INVALID_SYNTAX.
Then, Initiator will wait for "Child SA" info to be available to bring UP
both IKE and child SA, normally as mentioned in RFC 4306.
Thanks,
Raj
On Thu, Jul 2, 2009 at 1:42 AM, Yoav Nir <ynir@checkpoint.com> wrote:
Hi all.
This is the fourth iteration of this draft. New in this iteration
- Another co-author
- Changed the name, so that this item is considered in the rechartering
discussion
- Fixed some notation and some discussion based on comments from the list
Yoav
________________________________________
From: i-d-announce-bounces@ietf.org [i-d-announce-bounces@ietf.org] On
Behalf Of Internet-Drafts@ietf.org [Internet-Drafts@ietf.org]
Sent: Wednesday, July 01, 2009 12:15
To: i-d-announce@ietf.org
Subject: I-D Action:draft-nir-ipsecme-childless-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
Title : A Childless Initiation of the IKE SA
Author(s) : Y. Nir, et al.
Filename : draft-nir-ipsecme-childless-00.txt
Pages : 7
Date : 2009-07-01
This document describes an extension to the IKEv2 protocol that
allows an IKE SA to be created and authenticated without generating a
child SA.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-nir-ipsecme-childless-00.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
Scanned by Check Point Total Security Gateway.
- [IPsec] FW: I-D Action:draft-nir-ipsecme-childles… Yoav Nir
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yaron Sheffer
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yaron Sheffer
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yaron Sheffer
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yoav Nir
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yoav Nir
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raghunandan P (raghup)
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yoav Nir
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Tero Kivinen
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yoav Nir
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Gaurav Poothia
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Yoav Nir
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Valery Smyslov
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Raj Singh
- Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-chil… Valery Smyslov