IETF Logo Mail Archive

Re: [IPsec] DPD in IKEv2

Yoav Nir <ynir@checkpoint.com> Sun, 11 July 2010 10:26 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EADD93A699A for <ipsec@core3.amsl.com>; Sun, 11 Jul 2010 03:26:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[AWL=-0.340, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, J_CHICKENPOX_83=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1bJ2IgL0wRRH for <ipsec@core3.amsl.com>; Sun, 11 Jul 2010 03:26:41 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id B58E53A698E for <ipsec@ietf.org>; Sun, 11 Jul 2010 03:26:40 -0700 (PDT)
X-CheckPoint: {4C39A8DB-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o6BAQaDq022648; Sun, 11 Jul 2010 13:26:36 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sun, 11 Jul 2010 13:27:08 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: 'Toby Mao' <yumao9@gmail.com>, IPsecme WG <ipsec@ietf.org>
Date: Sun, 11 Jul 2010 13:27:08 +0300
Thread-Topic: [IPsec] DPD in IKEv2
Thread-Index: Acsg4NvCOFHCFE6xRWa/jbrpsXXkKQAAaRsw
Message-ID: <006FEB08D9C6444AB014105C9AEB133FFE28C51DE8@il-ex01.ad.checkpoint.com>
References: <AANLkTilbxF_NpZbXlZ8KmuwkKGQxz2g6VhYj-xxerCqe@mail.gmail.com>
In-Reply-To: <AANLkTilbxF_NpZbXlZ8KmuwkKGQxz2g6VhYj-xxerCqe@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_006FEB08D9C6444AB014105C9AEB133FFE28C51DE8ilex01adcheck_"
MIME-Version: 1.0
Cc: "maoyu@h3c.com" <maoyu@h3c.com>
Subject: Re: [IPsec] DPD in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 10:26:47 -0000

Hi.

Liveness check in IKEv2 is very much like any other INFORMATIONAL exchange. Here's what the introduction says about this.

              An INFORMATIONAL request with no payloads (other than the
   empty Encrypted payload required by the syntax) is commonly used as a
   check for liveness.

So you don't need any payloads, and no counters other than the message counter in the IKE header. Also, you are correct that the counter gets synchronized to cluster members, just like following any other IKE message.

Hope this helps

Yoav

________________________________
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Toby Mao
Sent: Sunday, July 11, 2010 1:07 PM
To: IPsecme WG
Cc: maoyu@h3c.com
Subject: [IPsec] DPD in IKEv2

Hi all:
         DPD(RFC 3706) provide a mechanism to detect dead IKEv1 peer.  In  draft-ietf-ipsecme-roadmap-07, 4.2.3.1, it tell us <http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-roadmap/> "This RFC defines an optional extension to IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which refers to this feature as a "liveness check" or "liveness test"."  So we can learn DPD can be used in IKEv2. However,  some issues need to discuss when used in IKEv2.

         #1:  Sequence Number in DPD Message
        In rfc3706, sequence number in DPD message can prove liveliness and guard against message replay attack, it is presented in the notification data field in the Notify Payload format. However, Message ID in the IKEv2 can provide the same function(see WG draft draft-ietf-ipsecme-ikev2bis<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ikev2bis/> 2.2). If DPD is used in IKEv2, DPD notify message can use Message ID in the IKEv2 message header other than define the other redundancy sequence number in the notification data field. Furthermore,  another WG draft  draft-ietf-ipsecme-ipsec-ha<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ipsec-ha/>  define SADB information to be synchronized in the clusters. If DPD use its unique sequence number , the number should also be synched as IKE SA counters.

         #2:   Message Type
      RFC3706 define DPD  Message  as below:

     Notify                          Message Value

      R-U-THERE                   36136

      R-U-THERE-ACK           36137








      But I do not see these definition in draft-ietf-ipsecme-ikev2bis<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ikev2bis/> or http://www.iana.org/assignments/ikev2-parameters.








   So,  should we udpate RFC 3706 or make a detailed description in draft-ietf-ipsecme-ikev2bis<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ikev2bis/>?

v2.23.0 | Report a Bug | By Email