IETF Logo Mail Archive

Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt

Raj Singh <rsjenwar@gmail.com> Sat, 04 July 2009 10:45 UTC

Return-Path: <rsjenwar@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 64A183A679C for <ipsec@core3.amsl.com>; Sat, 4 Jul 2009 03:45:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[AWL=0.162, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cY7ZSlE70lpQ for <ipsec@core3.amsl.com>; Sat, 4 Jul 2009 03:45:17 -0700 (PDT)
Received: from mail-pz0-f198.google.com (mail-pz0-f198.google.com [209.85.222.198]) by core3.amsl.com (Postfix) with ESMTP id E02A33A67CC for <ipsec@ietf.org>; Sat, 4 Jul 2009 03:44:05 -0700 (PDT)
Received: by pzk36 with SMTP id 36so3221190pzk.29 for <ipsec@ietf.org>; Sat, 04 Jul 2009 03:43:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=IGOrI0gYAkev2gfMbMmY8OXKm6LhTq8n3hKu33tojqQ=; b=rVVcZXY/qnkkqmc5eXuloGwmzK1y0BjRgvKHT8UJQMDCXC0hlXhnQ4liJEtW6gz3Ua mz23p3dRYFQ5ubWLi7LDk5fB43JcXubiPH1FMmmQAqPE+eLQmvovWly42A92y/m3trjD 6d7oySycZjSwWTu68Yif638eBw7iyFkh4ER0E=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ORDP1th7B4pPOeQ619qzaXMdozKnhALkutl6IwU/L3Oj8dcrITrrrI6t8UXt92NtyB wAlTTEKrUWGClA2E4NiCMVkVEt5N15L2NNtYm6k9TgkgfVAMrYxNhAMmdglleGAlakvF 2T+1QtbCI4V2050vYPCEJHPMQhyRXi03wS2wc=
MIME-Version: 1.0
Received: by 10.142.254.8 with SMTP id b8mr748799wfi.144.1246703807770; Sat, 04 Jul 2009 03:36:47 -0700 (PDT)
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594C4@il-ex01.ad.checkpoint.com>
References: <20090701091501.2DAE328C101@core3.amsl.com> <006FEB08D9C6444AB014105C9AEB133F433539DEC2@il-ex01.ad.checkpoint.com> <7ccecf670907030651uec406e4ha9fa9adc027f8335@mail.gmail.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594C4@il-ex01.ad.checkpoint.com>
Date: Sat, 04 Jul 2009 16:06:47 +0530
Message-ID: <7ccecf670907040336t51b15b1t790284952459069a@mail.gmail.com>
From: Raj Singh <rsjenwar@gmail.com>
To: Yaron Sheffer <yaronf@checkpoint.com>
Content-Type: multipart/alternative; boundary="00504502ccd59a30e6046dded9cf"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jul 2009 10:45:18 -0000

Hi Yaron,

I agree with you.
Your suggestion of having "critical" bit set on childless notify/VID payload
from initiator in IKE_SA_INIT exchange will define the bahavior as mentioned
below.

If initiator want to childless IKE_AUTH, it will send  CHILDLESS_IKE_AUTH
notify/VID payload having "critical" flag SET in IKE_SA_INIT request.

1. It will help responder not to process the IKE_SA_INIT exchange if it does
not support childless IKE_AUTH.

"The responder MUST reject IKE_SA_INIT exchange if it receives
CHILDLESS_IKE_AUTH notify/VID payload in IKE_SA_INIT exchange from initiator
if responder does not support childless IKE_AUTH and in response to the
IKE_SA_INIT exchange containing CHILDLESS_IKE_AUTH it MUST send
UNSUPPORTED_CRITICAL_PAYLOAD, the notification data will contain two-octet
unsupported notify/VID payload type i.e. CHILDLESS_IKE_AUTH."

2. It will help initiator to not to go ahead with childless IKE_AUTH if
responder doesn't support it wtithout procesing IKE_SA_INIT response.

With Regards,
Raj

On Sat, Jul 4, 2009 at 12:16 AM, Yaron Sheffer <yaronf@checkpoint.com>wrote:

>  Hi Raj,
>
>
>
> It sounds like you want a critical payload (RFC 4306, Sec. 2.5), probably a
> payload with no data. In fact the draft could specify both options, the
> current VID and such a payload, and leave it to the Initiator to decide
> which behavior it prefers. Different scenarios might call for different
> behaviors.
>
>
>
> Thanks,
>
>             Yaron
>
>
>   ------------------------------
>
> *From:* ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] *On Behalf
> Of *Raj Singh
> *Sent:* Friday, July 03, 2009 16:51
> *To:* Yoav Nir
> *Cc:* ipsec@ietf.org
> *Subject:* Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
>
>
>
> Hi Yoav,
>
> Mostly the Initiator will decide that it wants to bring UP only IKE SA
> without child SA.
> But currently there is no notify/VID from Initiator to Responder to
> indicate that initiator wants to bring only IKE SA. Even if responder does
> not supports "childless IKE_AUTH", it will process IKE_SA_INIT, involding
> CPU intensive D-H calculations, and send IKE_SA_INIT response without
> "childless VID" payload.
>
> By introducing a notify/VID payload from Initiator that it wants to bring
> UP only IKE SA without child SA wil ease the processing ar Responder side.
> If responder does not support "childless IKE_AUTH", it can send
> INVALID_SYNTAX. Then, Initiator will wait for "Child SA" info to be
> available to bring UP both IKE and child SA, normally as mentioned in RFC
> 4306.
>
> Thanks,
> Raj
>
> On Thu, Jul 2, 2009 at 1:42 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>
> Hi all.
>
> This is the fourth iteration of this draft.  New in this iteration
>  - Another co-author
>  - Changed the name, so that this item is considered in the rechartering
> discussion
>  - Fixed some notation and some discussion based on comments from the list
>
> Yoav
> ________________________________________
> From: i-d-announce-bounces@ietf.org [i-d-announce-bounces@ietf.org] On
> Behalf Of Internet-Drafts@ietf.org [Internet-Drafts@ietf.org]
> Sent: Wednesday, July 01, 2009 12:15
> To: i-d-announce@ietf.org
> Subject: I-D Action:draft-nir-ipsecme-childless-00.txt
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
>        Title           : A Childless Initiation of the IKE SA
>        Author(s)       : Y. Nir, et al.
>        Filename        : draft-nir-ipsecme-childless-00.txt
>        Pages           : 7
>        Date            : 2009-07-01
>
> This document describes an extension to the IKEv2 protocol that
> allows an IKE SA to be created and authenticated without generating a
> child SA.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-nir-ipsecme-childless-00.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
>
>
>
> Email secured by Check Point
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
>
>
>
> Scanned by Check Point Total Security Gateway.
>

v2.31.3 | Report a Bug | By Email | System Status