Re: [IPsec] Regarding ISAKMP SA lifetime negotiation.

Yoav Nir <> Mon, 04 March 2013 16:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 70D5121F869C for <>; Mon, 4 Mar 2013 08:00:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.649
X-Spam-Status: No, score=-9.649 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, J_CHICKENPOX_25=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zE3tR0ixp0un for <>; Mon, 4 Mar 2013 08:00:41 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 81B6021F8C1A for <>; Mon, 4 Mar 2013 08:00:34 -0800 (PST)
Received: from ([]) by (8.13.8/8.13.8) with ESMTP id r24G0MVp015351; Mon, 4 Mar 2013 18:00:26 +0200
X-CheckPoint: {5134C4CB-19-1B221DC2-2FFFF}
Received: from ([]) by ([]) with mapi id 14.02.0342.003; Mon, 4 Mar 2013 18:00:22 +0200
From: Yoav Nir <>
To: Tero Kivinen <>
Thread-Topic: [IPsec] Regarding ISAKMP SA lifetime negotiation.
Thread-Index: Ac4Y4ESuGmhSbq0+TBy5np9wzLbTAf//5+wAgAAYwoA=
Date: Mon, 04 Mar 2013 16:00:22 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>, "Anoop V A (anova)" <>
Subject: Re: [IPsec] Regarding ISAKMP SA lifetime negotiation.
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Mar 2013 16:00:42 -0000

On Mar 4, 2013, at 4:31 PM, Tero Kivinen <> wrote:

> Anoop V A (anova) writes:
>> Hello experts,
>>   I have a generic doubt regarding the ISAKMP SA(phase 1) life time
>>   negotiation. My  query is can we agree up on the  ISAKMP life
>>   time in the first two messages of MM or AM. 
>> What I want to know is  - the life time is sent as an proposal
>> attribute in the first two messages of Main mode and aggressive
>> mode. We are not negotiating the parameter so if the responder is
>> having a less life time value configured - then can we transfer this
>> info in the MM2 or AM2 message from the responder along with the
>> negotiated proposal attributes. Basically I am trying to change the
>> life time attribute sent by the initiator - in this scenario. 
> Anything extra (notifications etc) you send inside the main mode or
> agressive mode packets are not authenticated, so sending responder
> life time notifications is not good idea (and the other end will
> simply ignore it).

This is true for MM2, but not for MM6. MM6 is encrypted and authenticated, so the peer can and should (if they implemented the draft) use it.

>> We have the responder life time notify mechanism as per the draft
>> (draft-ietf-ipsec-ike-lifetime-00), but the separate notify messages
>> are not reliable in IKEv1(Uni directional)
> That is expired very old draft that did not get forward, there is no
> point of implementing that... 

It makes sense for working with implementations where you can't configure such parameters, like VPN clients. Sadly, none of the generic IKEv1-using clients (like the L2TP clients) seem to support this draft.

>> In short my questions are:
>> 1.       Can we send the responder life time notification in MM6 or
>>         AM2 message from the responder?
> You can, but most likely all implementations will ignore them, and
> if any implementation does not ignore them, that opens attack where
> attacker can shorten the lifetime at will by just adding such
> notification. 

MM6 and AM2 are protected.

>> 2.       Or can we alter the life time attribute of the ISAKMP SA
>>         proposal offer?( Is this considers as  a violation of the
>>         RFC)
> That is considered violation of the RFC, thus all complient
> implemnetations will reject the proposal. RFC2408 section 4.2 Security
> Association Establishment last paragraph:
> 								The
>   initiator MUST verify that the Security Association payload received
>   from the responder matches one of the proposals sent initially.
> Easy answer to all of your questions is to NOT use the protocol that
> was obsoleted more than 7 years ago (IKEv1 was obsoleted by IKEv2 in
> 2005), and instead start to use current version of the protocol i.e
> IKEv2, which already solves those problem (the notifications are
> authenticated, the lifetimes are removed and moved to local matter,
> the informational exchanges are reliable etc).

Now that I agree with. This draft addresses one deficiency in IKEv1. The reason to support IKEv1 today is to support legacy implementations. I don't think anyone is adding this feature now to legacy implementations. So yes, <hat type="vendor"> Check Point code supports it, but </hat> it's better to use IKEv2 where interoperability with different configured lifetimes has been shown to work.