IETF Logo Mail Archive

Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt

Raj Singh <rsjenwar@gmail.com> Wed, 08 July 2009 04:17 UTC

Return-Path: <rsjenwar@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 147A93A6830 for <ipsec@core3.amsl.com>; Tue, 7 Jul 2009 21:17:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.48
X-Spam-Level:
X-Spam-Status: No, score=-2.48 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8I24KxhJPeDf for <ipsec@core3.amsl.com>; Tue, 7 Jul 2009 21:17:44 -0700 (PDT)
Received: from mail-px0-f175.google.com (mail-px0-f175.google.com [209.85.216.175]) by core3.amsl.com (Postfix) with ESMTP id 0C3663A67A3 for <ipsec@ietf.org>; Tue, 7 Jul 2009 21:17:43 -0700 (PDT)
Received: by pxi5 with SMTP id 5so1085443pxi.29 for <ipsec@ietf.org>; Tue, 07 Jul 2009 21:18:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=d4jpCpwdAlEQ1/TjWB06U9YRJm60nhiZT9oTCJQkt3o=; b=FXfMlDQb7Ys9JQFBAmIMrpjH5PHHKNHYUJ84ByDvSi9IMABkgDTpQIiEJ5Lvjc910o eL9MgwPmZa+cBNQ/fbwwj5eF2swDXO/B0e06fUiTaxg3QfU7HIvyJza55PH5wAN6HjXq LULeG3S2zrng3ZltVI2vbI+v90plRc867PFdI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=pS15qA46LoOzv/tJtnL+1TSWcG6XPxNhRjByyWp4edNod8suf9qDGjtdwe94hxJah9 G/BXvkNmxz/0VZmxFo9KHLmBkg48bdYcti786UWVRgkGc0KuI2jHP+5WP56TVrhPTlyc Ej2yCVIyvqNASq2mQHup4x7lWohL1iuQK9x6E=
MIME-Version: 1.0
Received: by 10.142.155.13 with SMTP id c13mr2372940wfe.211.1247026682764; Tue, 07 Jul 2009 21:18:02 -0700 (PDT)
In-Reply-To: <19027.41530.987118.492735@fireball.kivinen.iki.fi>
References: <20090701091501.2DAE328C101@core3.amsl.com> <006FEB08D9C6444AB014105C9AEB133F433539DEC2@il-ex01.ad.checkpoint.com> <7ccecf670907030651uec406e4ha9fa9adc027f8335@mail.gmail.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD594C4@il-ex01.ad.checkpoint.com> <7ccecf670907040336t51b15b1t790284952459069a@mail.gmail.com> <19027.41530.987118.492735@fireball.kivinen.iki.fi>
Date: Wed, 08 Jul 2009 09:48:02 +0530
Message-ID: <7ccecf670907072118l2cad6e24i6de6aadfc023604a@mail.gmail.com>
From: Raj Singh <rsjenwar@gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Content-Type: multipart/alternative; boundary="000e0cd2e45873b1c3046e2a061c"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Yoav Nir <ynir@checkpoint.com>
Subject: Re: [IPsec] FW: I-D Action:draft-nir-ipsecme-childless-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2009 04:17:45 -0000

Hi Tero,

Thanks for your valuable inputs.
Please find re inputs inline. <Raj>

On Wed, Jul 8, 2009 at 1:00 AM, Tero Kivinen <kivinen@iki.fi> wrote:

> Raj Singh writes:
> > Your suggestion of having "critical" bit set on childless notify/VID
> payload
> > from initiator in IKE_SA_INIT exchange will define the bahavior as
> mentioned
> > below.
>
> That is not correct way of using critical bit. Critical bit means that
> if it is set and the PAYLOAD TYPE is not understood, then
> UNSUPPORTED_CRITICAL_PAYLOAD error is reported. Every implementation
> will understand Notify and Vendor ID payloads, thus they will never
> return UNSUPPORTED_CRITICAL_PAYLOAD regardless what the contents of
> those payloads are.

<Raj>
I  was under impression that we can have "critical" bit in childless
IKE_AUTH notify/VID.
Even Yaron also clarified in same thread that we need new exchange type to
have "critical" bit on it.

>
>
> > If initiator want to childless IKE_AUTH, it will send  CHILDLESS_IKE_AUTH
> > notify/VID payload having "critical" flag SET in IKE_SA_INIT request.
>
> And complient implentation will do what to do as RFC4306 says ie:
>
>      ... MUST be ignored by the recipient if the recipient
>      understands the payload type code. MUST be set to zero for
>      payload types defined in this document. Note that the critical
>      bit applies to the current payload rather than the "next"
>      payload whose type code appears in the first octet. The
>      reasoning behind not setting the critical bit for payloads
>      defined in this document is that all implementations MUST
>      understand all payload types defined in this document and
>      therefore must ignore the Critical bit's value. Skipped payloads
>      are expected to have valid Next Payload and Payload Length
>      fields.
>
> The correct way to do is to make new exchange type for this new
> childless IKE_SA_INIT & IKE_AUTH. That way old implenentations will
> then know that they do not understand this new type and will drop the
> packets. This is if you really want the property that if responder
> does not understand chieldless IKE_AUTH you do not want to continue at
> all.
>
> I have not yet read the draft, as I have been too busy with working
> group drafts already, and I still do not know if this is really needed
> at all...

<Raj>
If we can't have "critical" bit inside associated data of childless
notify/VID,  then
new exchange type is a near possibility.
Please have a look at the use cases in the draft for need of this draft.

>
> --
> kivinen@iki.fi
>

With Regards,
Raj

v2.31.3 | Report a Bug | By Email | System Status