IETF Logo Mail Archive

Re: [IPsec] FW: New Version Notification for draft-liu-ipsecme-ikev2-rekey-redundant-sas-00.txt

Paul Wouters <paul.wouters@aiven.io> Mon, 22 November 2021 14:49 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC53E3A0BCC for <ipsec@ietfa.amsl.com>; Mon, 22 Nov 2021 06:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujDOdtmpbZt3 for <ipsec@ietfa.amsl.com>; Mon, 22 Nov 2021 06:49:31 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C8AE3A0BCA for <ipsec@ietf.org>; Mon, 22 Nov 2021 06:49:31 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id e3so78042429edu.4 for <ipsec@ietf.org>; Mon, 22 Nov 2021 06:49:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=date:from:to:cc:subject:in-reply-to:message-id:references :mime-version; bh=MhSX6s+TyE8wdVYRKWZXmRKXi7GGaL7IH4eq/gdRNE8=; b=mD6hgijf+n2OdwsTFl1eOyvBKDGHhPBk+awmDEeB0rbJVBBBxw73YFe5r+pBb/NxXe 4ZWCrFaaWy87zycxhI8nWbcv9AcMGIFkRROTXE6hNHMHnpHMrNrOkFpEmlnLPGbIOOoD oB4Fte9mgTm+AOWNLqF/tkFQHqpuLhyXy1OUY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:mime-version; bh=MhSX6s+TyE8wdVYRKWZXmRKXi7GGaL7IH4eq/gdRNE8=; b=x9zkZcR+OaGZZLUbqPsfP0H9YjnxB4xxaL/HIqMI8yOb4CfGqdKEjy23FqeFHUGrGk 4EN+f3I04UHHiXj6GYJ/rJGvf2qQroS6Z5arm7ujBMc0M9VxjD1ejxcD0zfi1E9CRrB+ JzL+xqZYNAV7ZEeSspwg3wTDBpjQazyD6txmhsuHNAOrdU89jxCy4YboaydKbjwvLkL6 WK4UBZnltZPkQEp2wJ0bE6tzVeZZhnOxWmQjgQxN/GS5AU22/V0WDU+yV/yACcs8bf3d g5euFOt/iH1SenbQukFIQZKa2DRijiaWRxJvmttpvqPfYGUIL0jhR2k9V3BS9ePik0yg Lm1w==
X-Gm-Message-State: AOAM530vJV7aQ3x/ePTBuX1PGDstX+SF7bjc6i4hu74r9XDUmoI9jTXS fAE1gsWVisY630PEVNyJAwxMiOwywYrjfINy
X-Google-Smtp-Source: ABdhPJzWkF3PqHIxtH9kMECG04zPlyS7FcLZEWoWVubTqESWVwe9kIF6qvuI4sz2KrT9qYGbEk0vMg==
X-Received: by 2002:a17:907:3f83:: with SMTP id hr3mr42080577ejc.555.1637592566660; Mon, 22 Nov 2021 06:49:26 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca. [193.110.157.194]) by smtp.gmail.com with ESMTPSA id r11sm4469519edd.70.2021.11.22.06.49.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Nov 2021 06:49:26 -0800 (PST)
Date: Mon, 22 Nov 2021 09:49:22 -0500
From: Paul Wouters <paul.wouters@aiven.io>
To: Harold Liu <harold.liu=40ericsson.com@dmarc.ietf.org>
cc: "ipsec@ietf.org" <ipsec@ietf.org>
In-Reply-To: <AM6PR07MB6056A9CCECA59F8035D04543EB9F9@AM6PR07MB6056.eurprd07.prod.outlook.com>
Message-ID: <fc922cce-fdf2-62c1-8b66-588886479864@nohats.ca>
References: <163756302647.16358.8631436336190852796@ietfa.amsl.com> <AM6PR07MB6056A9CCECA59F8035D04543EB9F9@AM6PR07MB6056.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/Zmh_QGiqO6rj7ZR5BLFxbQX_i8E>
Subject: Re: [IPsec] FW: New Version Notification for draft-liu-ipsecme-ikev2-rekey-redundant-sas-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2021 14:49:36 -0000

On Mon, 22 Nov 2021, Harold Liu wrote:

> Recently we ran into a real problem in some IPsec use case - IKEv2 protocol supports rekey mechanism for IKE Security Association (SA) and Child SA, but may result in redundant SAs ([RFC7296], section 2.8.1) when both peers start rekeying at the same time.
> Although in such case IKEv2 selects the SA created with the lowest of the four nonces and the redundant SA SHOULD be deleted by the endpoint that created it, but it is not enough.
> Because among the standards, frequent rekeying is highly recommended, but such an approach can be non-optimal when SA are frequently rekeys as SAs are unnecessary computed and adds an additional IKEv2 exchange.

Is your implementation not using a rekey fuzz of say 1 to 5 % ? In that
way, two endpoints are extremely unlikely to rekey at the exact same
time.

> So this document defines the Rekeying Priority in IKEv2 extension which enables to agree roles for rekeying of child SAs and optimize IKEv2 rekey negotiation.

I don't think the role of Initiator or Responder should be changed based
on a random value. It is really based on which end has the shortest
lifetime, which is not negotiated, presuming both ends want the
connection to stay up.

In a classic, client to server IPsec connection, it should really be the
client that initiates the rekey, and the server is just there to
facilitate the client's needs.

> The below announcement is that draft. We would like to work with the community to improve and clarify tech draft.

I don't think this document is needed if "fuzz" is used. Can you clarify
why you think using random fuzz on the keylife is not good enough?

Paul

v2.23.0 | Report a Bug | By Email