Re: [IPsec] Another round of IKEv2-bis issues
Tero Kivinen <kivinen@iki.fi> Fri, 16 April 2010 13:28 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6B9D28C17C; Fri, 16 Apr 2010 06:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.067
X-Spam-Level:
X-Spam-Status: No, score=-1.067 tagged_above=-999 required=5 tests=[AWL=-1.068, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id izPT8nBiksF5; Fri, 16 Apr 2010 06:28:31 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id C62B928C17A; Fri, 16 Apr 2010 06:18:47 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3GDIZgD026587 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 16 Apr 2010 16:18:35 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3GDIYcS020716; Fri, 16 Apr 2010 16:18:34 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19400.25514.92364.300616@fireball.kivinen.iki.fi>
Date: Fri, 16 Apr 2010 16:18:34 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: David Wierbowski <wierbows@us.ibm.com>
In-Reply-To: <OF6AD2BFF8.4EBFBC83-ON852576FF.0050D170-852576FF.0054E2E4@us.ibm.com>
References: <006FEB08D9C6444AB014105C9AEB133FB37650C568@il-ex01.ad.checkpoint.com> <19389.52595.209726.960078@fireball.kivinen.iki.fi> <OF6AD2BFF8.4EBFBC83-ON852576FF.0050D170-852576FF.0054E2E4@us.ibm.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 14 min
X-Total-Time: 18 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, ipsec-bounces@ietf.org
Subject: Re: [IPsec] Another round of IKEv2-bis issues
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 13:28:32 -0000
David Wierbowski writes: > What is wrong with using a valid child SA? If you are claiming > the child SA is not valid because it's IKE SA on host A no longer > exists then I'll agree. Yes. The Child SAs are tied up to the IKE SA and if IKE SA dies, all Child SAs needs to be deleted also. > When host A lost the IKE SA because the > security processor failed it should have cleaned up any SAs created > by the IKE SA. If the information that this Child SA belongs to that IKE SA was on the same security processor which had IKE SA then it cannot, and if this is the case, then the implementation is broken. If the Child SA on separate security processor still knows how to tie itself to the IKE SA, and can clean up the state, then the implementation is correct. The text there said that you should not create such implementation where the Child SA does not get deleted when IKE SA is deleted. Instead you needs to make sure that you can clean up all Child SAs when the IKE SA disappears. > That does not mean all SAs created by the IKE SA need > be on the same security processor. True. The text does not require that. It does require that you can maintain the connection between IKE SAs and Child SAs, and if you cannot, because of the setup, then you need to use separate IKE SAs. > That's just your rule and how you > decided to handle the situation. You could have kept knowledge of > this relationship outside of the security processor. I see no reason > to dictate how to handle this situation in the RFC. The RFC does not dicate solution, it dictates, that you need to solve the problem and make sure that the IKE SA and Child SA connection stays intact regardless of failures. And if you cannot ensure that then you need to use separate IKE SAs. > > >This means that host B will > >never start DPD, as it is seeing valid packets from host A coming in, > >thus it will never notice that other Child SAs and the IKE SA on the > >other security processor are dead, and will happily send data to them > >without trying to recover. > > Well if host A did not properly cleanup up all child SAs I agree this > could happen, but so what? Everyone is happy. Data is being > exchanged as per the child SA. If host A did kill the child SA then > dead peer detection would kick in as desired. Data is exchanged over one SA, but there might be others on other security processors, and from the Host B point of view those work too (as IKEv2 assumes that either all Child SAs and IKE SA fail, or all of them work). So Host B will send traffic to those SAs too, and that will cause black hole, as those SAs did get destroyed when the failure happened. > It's all a matter of bookkeeping. If they can fail separately you just > need to keep track of what needs to be cleaned up when a failure > occurs. If you keep that bookkeeping, then they do not fail separately, so this text does not apply. > >I do not agree on that. In most cases this is implementation hint that > >is not needed, as most environments do not have multiple independent > >security processors, but on those environments where we have those, it > >is important for correct behavior that implementors implement this > >correctly. Those who are really working on implementations on systems > >which have multiple independent security processors should understand > >what is said in the current text. As those people who do work on such > >implementaions is extremely small, I do not think there is need to > >add lots of material explaining the situation (as I did here in this > >email), but keeping the text in the specification is still needed. > > I do not agree. The rule is simple. If an IKE fails cleanup all Child > SAs created by it. In the case of a security processor failure you are > guaranteed to have that happen if you keep the child SA on the same > security processor, but that does not means that is the only way to > do that. You have some distribution logic in place to begin with. That > logic can save enough state to perform the proper cleanup. I see no > reason to address how this cleanup occurs in this RFC. I think we need to mandate that logic you explained there to the RFC. The text there does that. It says that you need to keep Child SAs and IKE SAs connected, and either all of them work, or none of them work (or you might also get delete notifications for those which failed, provided the IKE SA stays up). What is not allowed that some of the Child SAs stay up, but the IKE SA does not (i.e. no delete notifications). And this from the remote point of view, i.e. if you maintain internal bookeeping and destroy the Child SA when one security processor fails, that is fine, and from the remote point of view all Child SAs and IKE SA got destroyed. -- kivinen@iki.fi
- [IPsec] Another round of IKEv2-bis issues Yoav Nir
- [IPsec] Issue #187, was: Re: Another round of IKEā¦ Yaron Sheffer
- [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski