Re: [IPsec] ikev2bis issue #185: What do to if you don't ignore INITIAL_CONTACT
Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 31 March 2010 09:26 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 95EC13A69B5 for <ipsec@core3.amsl.com>; Wed, 31 Mar 2010 02:26:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.556
X-Spam-Level:
X-Spam-Status: No, score=-0.556 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, SARE_RECV_BEZEQINT_B=0.763]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTyaPXuUFjmt for <ipsec@core3.amsl.com>; Wed, 31 Mar 2010 02:26:23 -0700 (PDT)
Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.156]) by core3.amsl.com (Postfix) with ESMTP id 7657F3A6870 for <ipsec@ietf.org>; Wed, 31 Mar 2010 02:26:23 -0700 (PDT)
Received: by fg-out-1718.google.com with SMTP id d23so3642906fga.13 for <ipsec@ietf.org>; Wed, 31 Mar 2010 02:26:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=wKdmuNHotEHEgkHjopCH3R7v2vv4sBaCy/SeOMvjqd8=; b=PgEFVO+MNRRocKA2ZpxoX8eRRIo1EFPb/67M0KgU1nRKS/WaTB9D2gqXaQbOEtbZgr rt3U3g6YEQgxXiUjCZnwg2/XNXVw9WxWCZ4Ry7Ida/EJoHrCcP83VyBMfXcfwLhfCyUU K6GYmhOMmGZock7E2KqJmPfkvU+fnaoTK7ofM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=r3Zj7H4ErffXiCryZJlVlIIALPhVqERcjGBNb1XsKafFbcnKDdiTFfJQa1+bO/HuWL fFVnp/2AfXzDLyaKmlCLSlI5G+W/lSehIcnik5UPUZa/cZgBWRFJK576CwdU7KXxdTFR Rsmp0sJYp9x9yqCtT8kWas8u4Yqoy8nhX5qdg=
Received: by 10.86.126.33 with SMTP id y33mr1306554fgc.51.1270027609877; Wed, 31 Mar 2010 02:26:49 -0700 (PDT)
Received: from [10.20.30.2] ([62.219.129.160]) by mx.google.com with ESMTPS id e3sm8643112fga.24.2010.03.31.02.26.48 (version=SSLv3 cipher=RC4-MD5); Wed, 31 Mar 2010 02:26:49 -0700 (PDT)
Message-ID: <4BB31556.4040105@gmail.com>
Date: Wed, 31 Mar 2010 12:26:46 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Paul Hoffman <paul.hoffman@vpnc.org>
References: <p0624080bc7d840022266@[10.20.30.158]>
In-Reply-To: <p0624080bc7d840022266@[10.20.30.158]>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] ikev2bis issue #185: What do to if you don't ignore INITIAL_CONTACT
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2010 09:26:24 -0000
Presumably, such implementations would do the same as they normally do
for INITIAL_CONTACT:
The INITIAL_CONTACT notification asserts that this IKE SA is the only
IKE SA currently active between the authenticated identities. It MAY
be sent when an IKE SA is established after a crash, and the
recipient MAY use this information to delete any other IKE SAs it has
to the same authenticated identity without waiting for a timeout.
The original RFC did not specify that it MUST be sent in a specific
message, and therefore we'd better leave it somewhat vague instead of
forcing the protocol to fail otherwise. In particular because the normal
recipient behavior is a MAY.
Thanks,
Yaron
On 31.3.2010 2:59, Paul Hoffman wrote:
> s2.4, para 2, says "The INITIAL_CONTACT notification, if sent, MUST be in the first IKE_AUTH request or response, not as a separate exchange afterwards; receiving parties MAY ignore it in other messages."
>
> What should receiving parties do if they *do* receive it and *don't* ignore it? Since it 'MUST be sent in the first IKE_AUTH' receiving at any other time is a protocol error and should cause some response (like dropping the IKE_SA perhaps).
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] ikev2bis issue #185: What do to if you do… Paul Hoffman
- Re: [IPsec] ikev2bis issue #185: What do to if yo… Yaron Sheffer
- [IPsec] ikev2bis issue #185: What do to if you do… Tero Kivinen