Re: [IPsec] Some comments on draft-mglt-ipsecme-keep-old-ike-sa-00
"Valery Smyslov" <svanru@gmail.com> Thu, 25 July 2013 07:27 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D57321F9A44 for <ipsec@ietfa.amsl.com>; Thu, 25 Jul 2013 00:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.007
X-Spam-Level: *
X-Spam-Status: No, score=1.007 tagged_above=-999 required=5 tests=[AWL=-1.006, BAYES_50=0.001, FAKE_REPLY_C=2.012]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ONwKpV1CVtt for <ipsec@ietfa.amsl.com>; Thu, 25 Jul 2013 00:27:10 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A59BB21F9A30 for <ipsec@ietf.org>; Thu, 25 Jul 2013 00:27:09 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id a16so1257407lbj.3 for <ipsec@ietf.org>; Thu, 25 Jul 2013 00:27:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:subject:date:mime-version:content-type :content-transfer-encoding:x-priority:x-msmail-priority:x-mailer :x-mimeole; bh=ebG0/52ynv4UfUpsgqqY31TnRRAEqLNyjGGvRspEKRM=; b=iMGud/EV9b331vTH4su0a3CLOxqJLls64RFFBdyjcS5GREnNaB6JMkroVOl0KP028L SmUbp8u3VvpAzXhnIvgre5NOuhoX375igCkOK8dqXqOf3qOfZq0Jb6UnqueRjojL5Foz ikzeuYtauf0X1aRkVJhzCJ0pUkG7AJxnMVyBj5TTGxNu/INDnvNezZqQWBrLgMYs+o41 kJyUEFG891lUtUAZW7AZJufaDd+hdyn1ya8IcJwTvDhShDQmPK4Ziav5r2HYqYvgAZwU qQGtFE4IbD4p+c4W6wJh/hIlKjZSNb2w+NfMtp9j6bAiHlFxpJXmZXi1TzsCr0Gz4CaB zfIA==
X-Received: by 10.112.133.137 with SMTP id pc9mr17970146lbb.27.1374737228453; Thu, 25 Jul 2013 00:27:08 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id k10sm15871502lbl.10.2013.07.25.00.27.06 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 25 Jul 2013 00:27:07 -0700 (PDT)
Message-ID: <C9BFF959BA6C459A834CD76F432570B8@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: IPsecme WG <ipsec@ietf.org>
Date: Thu, 25 Jul 2013 11:27:11 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Some comments on draft-mglt-ipsecme-keep-old-ike-sa-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 07:27:10 -0000
Hi, some comments on the draft-mglt-ipsecme-keep-old-ike-sa-00. 1. Draft makes some suggestions that IKEv2 allows IKE SA to be silently deleted after successfull rekey. From my understanding of IKEv2, it is wrong, as RFC5996 states several times that IKE SA may be silently deleted only in case of fatal error, like SYNTAX_ERROR, or when peer doesn't respond. In all other cases, including rekey, SA must be deleted explicitly, by sending Delete Payload to the peer. From my understanding, it is initiator of rekey, who is responsible for sending Delete Payload after rekey succeeded. If it doesn't send Delete Payload, old IKE SA will be kept, even without special notifications. So, the name KEEP_OLD_IKE_SA for the notification is probably a bit misleading, as old IKE SA will be kept in any case untill initiator of rekey explicitly deletes it. I think that the real purpose of this notification is to tell responder, that this is not a rekey, but a request to clone old IKE SA, and that in this case responder must not move all child SAs from old IKE SA to the new one. Maybe the better name would be CLONE_IKE_SA. 2. Is there a real value for "Code Values" field? There are two possible values listed - "Keep Old IKE_SA" and "Unused Old IKE_SA". As far as I understand, the former is used if initiator wants to keep SA, and the latter - if it doesn't. But this may be indicated by the precence of notification (keep) or the absence of it (normal rekey, don't keep). 3. What is the purpose of "Question Bit"? 4. I very much don't like the idea to combine this notification with IKE_AUTH exchange, described in Appendix B.5. First, IKE_AUTH is already very complex due to a lot of options and making it more complex must be very well justified. I don't think that reducing a round trip is good justification here. And second, it will not be backward compatible, as initiator doesn't know yet if responder supports this extension, but already uses modified IKE_AUTH exchange. As result - unsupporting responder will be choked by the presense of extra SA, N, KE payloads and most probably returns INVALID_SYNTAX. 5. Typo in the first sentence of B.2 - two "the' and extra "set" (or "establish"). Regards, Valery Smyslov.
- Re: [IPsec] Some comments on draft-mglt-ipsecme-k… Valery Smyslov
- Re: [IPsec] Some comments on draft-mglt-ipsecme-k… Daniel Migault