Re: [IPsec] IPsec Digest, Vol 123, Issue 21
Tero Kivinen <kivinen@iki.fi> Tue, 19 August 2014 10:40 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8401A8896 for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 03:40:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GDjzAA12h8dI for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 03:39:58 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73C091A03BF for <ipsec@ietf.org>; Tue, 19 Aug 2014 03:39:58 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s7JAdpdq025078 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 19 Aug 2014 13:39:51 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s7JAdprZ007675; Tue, 19 Aug 2014 13:39:51 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21491.10614.714777.145464@fireball.kivinen.iki.fi>
Date: Tue, 19 Aug 2014 13:39:50 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Les Leposo <leposo@gmail.com>
In-Reply-To: <9852A873-1EEA-45EC-AEA3-BA654249A662@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi> <9852A873-1EEA-45EC-AEA3-BA654249A662@gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 14 min
X-Total-Time: 14 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/OnjClX0122bhOgwkzV107tXQMJo
Cc: ipsec@ietf.org
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 10:40:00 -0000
Les Leposo writes: > have you overlooked the issue of nat mappings? Nope. > ipsec nat keepalives are very useful for keeping nat mappings alive, > and in a world full of all sorts of nat devices (some behaving > reliably and others not), one would have to use low keepalive > interval... like 10-60s. IPsec NAT-T keepalives are completely different thing than DPD. IPsec NAT-T keepalives are packets sent by the device behind the NAT as specified in the RFC3948 section 2.3. The responder SHOULD ignore the received NAT-keepalive packet, and MUST NOT be used to detect whether a connection is live (RFC 3948 section 4). Only device behind the NAT sends them and other end does not respond to them, or send its own keepalives (unless it is also behind NAT). The dead peer detection (DPD) or liveness check is a procedure specified in the RFC5996 section 2.4 where it says that: ... If there has only been outgoing traffic on all of the SAs associated with an IKE SA, it is essential to confirm liveness of the other endpoint to avoid black holes. If no cryptographically protected messages have been received on an IKE SA or any of its Child SAs recently, the system needs to perform a liveness check in order to prevent sending messages to a dead peer. (This is sometimes called "dead peer detection" or "DPD", although it is really detecting live peers, not dead ones.) Receipt of a fresh cryptographically protected message on an IKE SA or any of its Child SAs ensures liveness of the IKE SA and all of its Child SAs. This is done by sending empty INFORMATIONAL message to the other end, and if there is response to it then other end is up and running. You are supposed to do this only when you suspect something is wrong, i.e. the traffic changed to be one way (i.e. no packets coming back), or you get ICMP or unauthenticated notify payload or similar. > Now, today's client devices need to be energy efficient - so the > device sleeps/hibernates to save battery. Sleeping past the nat > keepalives is bound to happen (either by design or error). At some > point the device will wake from sleep and need to test reachability > using dpd. Yes, if the device sleeps a long time, it should check whether the IKE SA is still up by using DPD. This has nothing to do with the NAT keepalives. > And in some cases (if the sleep was more than a certain threshold), > rather than wait for dpd to failover, the choice is to go for rekey. Rekey is not an option, as that would require the IKE SA to still be up. I think you mean startting the IKE SA from the beginning. If the device has been sleeping for long time, and it suspects the IKE SA is gone, it might try shorter period for the DPD, i.e. send few retries for the empty INFORMATIONAL message and if no response is received, then fall back to start the IKE SA from the beginning. The device of course needs to first wait that the network is up again before doing this test, as when you wake up from the sleep, the device most likely needs to find the wifi network again, do DHCP, perhaps even do hotel login page etc before it can actually send any packets to network, and doing DPD during that time, would certainly fail, even when the other end would still be there. It is important to remember what are the fundamental restrictions set by the protocol, and which issues are just caused by bad implementations. Quite a lot of the problems we are seeing are caused by bad implementations... -- kivinen@iki.fi
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo