Re: [IPsec] Some comments on draft-mglt-ipsecme-keep-old-ike-sa-00
"Valery Smyslov" <svanru@gmail.com> Thu, 25 July 2013 07:27 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D57321F9A44 for <ipsec@ietfa.amsl.com>; Thu, 25 Jul 2013 00:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.007
X-Spam-Level: *
X-Spam-Status: No, score=1.007 tagged_above=-999 required=5 tests=[AWL=-1.006, BAYES_50=0.001, FAKE_REPLY_C=2.012]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ONwKpV1CVtt for <ipsec@ietfa.amsl.com>; Thu, 25 Jul 2013 00:27:10 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id A59BB21F9A30 for <ipsec@ietf.org>; Thu, 25 Jul 2013 00:27:09 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id a16so1257407lbj.3 for <ipsec@ietf.org>; Thu, 25 Jul 2013 00:27:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:subject:date:mime-version:content-type :content-transfer-encoding:x-priority:x-msmail-priority:x-mailer :x-mimeole; bh=ebG0/52ynv4UfUpsgqqY31TnRRAEqLNyjGGvRspEKRM=; b=iMGud/EV9b331vTH4su0a3CLOxqJLls64RFFBdyjcS5GREnNaB6JMkroVOl0KP028L SmUbp8u3VvpAzXhnIvgre5NOuhoX375igCkOK8dqXqOf3qOfZq0Jb6UnqueRjojL5Foz ikzeuYtauf0X1aRkVJhzCJ0pUkG7AJxnMVyBj5TTGxNu/INDnvNezZqQWBrLgMYs+o41 kJyUEFG891lUtUAZW7AZJufaDd+hdyn1ya8IcJwTvDhShDQmPK4Ziav5r2HYqYvgAZwU qQGtFE4IbD4p+c4W6wJh/hIlKjZSNb2w+NfMtp9j6bAiHlFxpJXmZXi1TzsCr0Gz4CaB zfIA==
X-Received: by 10.112.133.137 with SMTP id pc9mr17970146lbb.27.1374737228453; Thu, 25 Jul 2013 00:27:08 -0700 (PDT)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id k10sm15871502lbl.10.2013.07.25.00.27.06 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 25 Jul 2013 00:27:07 -0700 (PDT)
Message-ID: <C9BFF959BA6C459A834CD76F432570B8@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: IPsecme WG <ipsec@ietf.org>
Date: Thu, 25 Jul 2013 11:27:11 +0400
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Some comments on draft-mglt-ipsecme-keep-old-ike-sa-00
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2013 07:27:10 -0000
Hi,
some comments on the draft-mglt-ipsecme-keep-old-ike-sa-00.
1. Draft makes some suggestions that IKEv2 allows IKE SA to
be silently deleted after successfull rekey. From my understanding
of IKEv2, it is wrong, as RFC5996 states several times that
IKE SA may be silently deleted only in case of fatal error,
like SYNTAX_ERROR, or when peer doesn't respond.
In all other cases, including rekey, SA must be deleted
explicitly, by sending Delete Payload to the peer.
From my understanding, it is initiator of rekey, who is
responsible for sending Delete Payload after rekey succeeded.
If it doesn't send Delete Payload, old IKE SA will be kept,
even without special notifications. So, the name KEEP_OLD_IKE_SA
for the notification is probably a bit misleading, as old IKE SA
will be kept in any case untill initiator of rekey explicitly deletes
it.
I think that the real purpose of this notification is to tell responder,
that this is not a rekey, but a request to clone old IKE SA,
and that in this case responder must not move all child SAs
from old IKE SA to the new one. Maybe the better name would be
CLONE_IKE_SA.
2. Is there a real value for "Code Values" field? There are two possible
values listed - "Keep Old IKE_SA" and "Unused Old IKE_SA".
As far as I understand, the former is used if initiator wants
to keep SA, and the latter - if it doesn't. But this may be
indicated by the precence of notification (keep) or the absence
of it (normal rekey, don't keep).
3. What is the purpose of "Question Bit"?
4. I very much don't like the idea to combine this notification
with IKE_AUTH exchange, described in Appendix B.5.
First, IKE_AUTH is already very complex due to a lot of
options and making it more complex must be very well
justified. I don't think that reducing a round trip is
good justification here. And second, it will not be
backward compatible, as initiator doesn't know yet if
responder supports this extension, but already uses
modified IKE_AUTH exchange. As result - unsupporting
responder will be choked by the presense of extra SA, N, KE
payloads and most probably returns INVALID_SYNTAX.
5. Typo in the first sentence of B.2 - two "the' and extra "set" (or
"establish").
Regards,
Valery Smyslov.
- Re: [IPsec] Some comments on draft-mglt-ipsecme-k… Valery Smyslov
- Re: [IPsec] Some comments on draft-mglt-ipsecme-k… Daniel Migault