Re: [IPsec] AD review: draft-ietf-ipsecme-ipsec-ha

Yoav Nir <ynir@checkpoint.com> Thu, 10 June 2010 16:28 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F35B03A699D for <ipsec@core3.amsl.com>; Thu, 10 Jun 2010 09:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.734
X-Spam-Level:
X-Spam-Status: No, score=-0.734 tagged_above=-999 required=5 tests=[AWL=0.006, BAYES_20=-0.74]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUGhaE-7aKHQ for <ipsec@core3.amsl.com>; Thu, 10 Jun 2010 09:28:08 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 51CDC3A6983 for <ipsec@ietf.org>; Thu, 10 Jun 2010 09:28:07 -0700 (PDT)
X-CheckPoint: {4C112065-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o5AGS6Dq010935; Thu, 10 Jun 2010 19:28:06 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 10 Jun 2010 19:28:35 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Sean Turner <turners@ieca.com>
Date: Thu, 10 Jun 2010 19:28:23 +0300
Thread-Topic: [IPsec] AD review: draft-ietf-ipsecme-ipsec-ha
Thread-Index: AcsIufkbRv6BoR2sSHa8ts3QnNyQNg==
Message-ID: <21A937C6-D771-4A64-B1F4-5CBE4E903BD6@checkpoint.com>
References: <4C0E2832.8050205@ieca.com> <DDA3FDB4-9541-4FF2-B708-26C1572ABE52@checkpoint.com> <4C11073F.2010608@ieca.com> <6A42450B-ECBC-4D54-8429-F54D3FEAB4DA@checkpoint.com> <4C11102D.4050508@ieca.com>
In-Reply-To: <4C11102D.4050508@ieca.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] AD review: draft-ietf-ipsecme-ipsec-ha
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2010 16:28:09 -0000

Done in -06

On Jun 10, 2010, at 7:17 PM, Sean Turner wrote:

> Yoav Nir wrote:
>> On Jun 10, 2010, at 6:39 PM, Sean Turner wrote:
>> 
>>> Yoav Nir wrote:
>>> 
>>>> #13, #15, a few more (no MUST/SHOULD/MAY language). I have two issues with this. The first, is that this document is a problem statement, and intended to be INFORMATIONAL. No gateway is ever going to be said to "implement" this document. As such, I don't think it should mandate any behaviors. Some behaviors are suggested as solutions, for example "replay counter must not repeat" ==> "gateway can synchronize occasionally, and skip 10,000 numbers at failover". The charter does not allow us at this point to mandate that newly-active gateways skip 10,000 numbers. We only say this, because it is one way to solve the problem, which some vendors have already done, and other gateways should be ready for this to happen. When it comes to creating a standards-track document, we might suggest this to cluster implementers, and more important, we may mandate that all conforming IPsec implementers (whether their gateways cluster or not) MUST accept such replay counter jumps.
>>>> So I left most of sections 3.4-9 without RFC 2119 language. As an exception to this rule, where the behavior is already mandated by older RFCs (4301 and/or 4306), I did capitalize the requirement language (so "replay counter must never repeat" --> "replay counter MUST NOT repeat")
>>> On #15, I can see that the text is proposing possible solutions.  For 
>>> #13, it reads like counters are the only solution.  Can you tweak the 
>>> text in such a way that it says "one possible solution, is ..." and 
>>> that way it doesn't sound like counters is the only mechanism (even if 
>>> it is)?
>> 
>> 
>> How about this:
>>   One possible solution, is to synchronize information about the IKE
>>   message counters after every IKE exchange.  This way, the newly
>>   active member knows what messages it is allowed to process, and what
>>   message IDs to use on IKE requests, so that peers process them.  This
>>   solution may be appropriate in some cases, but may be too onerous in
>>   systems with lots of SAs.  It also has the drawback, that it never
>>   recovers from the missing synch message problem, which is described
>>   in Section 3.6.
> 
> That works for me.
> 
> spt
> 
> Scanned by Check Point Total Security Gateway.