Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
Yoav Nir <ynir@checkpoint.com> Wed, 14 August 2013 14:30 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F38C611E8175 for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 07:30:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62K8YdiK2HfC for <ipsec@ietfa.amsl.com>; Wed, 14 Aug 2013 07:29:58 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A7D2C11E8166 for <ipsec@ietf.org>; Wed, 14 Aug 2013 07:29:47 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r7EDOwdn005721; Wed, 14 Aug 2013 16:24:58 +0300
X-CheckPoint: {520B852A-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.105]) by DAG-EX10.ad.checkpoint.com ([169.254.3.223]) with mapi id 14.02.0342.003; Wed, 14 Aug 2013 16:24:57 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Valery Smyslov <svanru@gmail.com>
Thread-Topic: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
Thread-Index: AQHOmPGrxZY+CIrhHk+QOWo1456QUg==
Date: Wed, 14 Aug 2013 13:24:56 +0000
Message-ID: <587E0A87-381F-4950-A495-CC8F1706DE7E@checkpoint.com>
References: <20130812223310.2768.80108.idtracker@ietfa.amsl.com> <482E5FF2-2AD7-469B-9679-A5945E609A5F@checkpoint.com> <69110CB5C30743C4A03CCAB62F7D9843@buildpc>
In-Reply-To: <69110CB5C30743C4A03CCAB62F7D9843@buildpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11bc3e95c5cf29653e45d6ae696f51d0ec0a7d9ac3
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <FF423AB805B72143B2C9AF9E11F4A7B4@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<ipsec@ietf.org>" <ipsec@ietf.org>
Subject: Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 14:30:05 -0000
On Aug 14, 2013, at 12:52 PM, Valery Smyslov <svanru@gmail.com> wrote: > Hi Yoav, > > isn't it better to do Child SAs movement in a separate Informational Exchange, > rather than in IKE_AUTH? > > Pros: > 1. No race conditions You would then have three operations that you need to do: a. Re-authenticate - create a new IKE SA b. Move the IPsec SAs c. Delete the old IKE SA Each of (b) and (c) could be done by any peer, not necessarily the same one that did (a). If we get a DELETE before all the IPsec SAs were transferred, some SAs could be deleted, or worse - they could be deleted on only one peer. > 2. No additional complication to already over-complicated IKE_AUTH It adds one more thing for the peers to do during IKE_AUTH, but it doesn't make a difference if the extra thing is within IKE_AUTH or immediately after. If the issue is the length of the packet, I believe we are already solving this. > 3. More generic solution, so can be used in other situations, > for example in case IKA SA is cloned (draft-mglt-ipsecme-keep-old-ike-sa). Interesting point. That draft does not, in fact, state what happens to the child SAs. Since the old SA is kept, I guess they remain, and when the old IKE SA does eventually get deleted, the child SAs are also deleted. Nor does it help to specify that they move: the new IKE SA might get deleted first. > Contras: > 1. Extra round trip. > > Regards, > Valery Smyslov.
- [IPsec] Fwd: I-D Action: draft-nir-ipsecme-cafr-0… Yoav Nir
- Re: [IPsec] Fwd: I-D Action: draft-nir-ipsecme-ca… Valery Smyslov
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Valery Smyslov
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Yoav Nir
- Re: [IPsec] I-D Action: draft-nir-ipsecme-cafr-00… Yoav Nir