IETF Logo Mail Archive

Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)

Jouni <jouni.nospam@gmail.com> Mon, 05 May 2014 20:51 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FCD61A0643 for <ipsec@ietfa.amsl.com>; Mon, 5 May 2014 13:51:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uLEfPDgh4s2f for <ipsec@ietfa.amsl.com>; Mon, 5 May 2014 13:51:15 -0700 (PDT)
Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 81F4D1A0640 for <ipsec@ietf.org>; Mon, 5 May 2014 13:51:15 -0700 (PDT)
Received: by mail-la0-f43.google.com with SMTP id gl10so954435lab.16 for <ipsec@ietf.org>; Mon, 05 May 2014 13:51:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8Zwcx/v89DB9J/KBDGd0MZZCExuyE3CADvz0SyLYm6I=; b=nWT/Jxn+ggYAtTtDkt7IlFnWQ7r9w0vBQhFmXbQlm/h/65BGILqIjXnO0CmLkxMhau rvSV8dOfHNmS5VKtf7TcRcXhxM4e/YcVjob82tVoeX5BTYUAX5P+Mb0tWt+ELETe0QHs wTNLh9p4MjkAinwx4SyUAK5vdv1nzPNRTT0jXqfsfanw2MDZWjgsYG8yFQGEnsXntkpr l4xZsXjQ26gS3anY9kKJ+ml9ClEUcVN9IfmMjjyXLDm1ZU+iM/avA7J3gW44z7yCeKVV mgX28f8dXMH3UNf8jp6wnhwxZ3gYBHzQzLUQDcL4uGhgk3+dwJB6HFkwdHlWr9HNk7NQ gzuQ==
X-Received: by 10.112.12.103 with SMTP id x7mr3551768lbb.36.1399323071310; Mon, 05 May 2014 13:51:11 -0700 (PDT)
Received: from ?IPv6:2001:1bc8:101:f101:d5a4:211a:a8ec:b8ab? ([2001:1bc8:101:f101:d5a4:211a:a8ec:b8ab]) by mx.google.com with ESMTPSA id x5sm10769206lbk.5.2014.05.05.13.51.09 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 13:51:10 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: text/plain; charset="windows-1252"
From: Jouni <jouni.nospam@gmail.com>
In-Reply-To: <CAPfd2wOzdLGewUz5vHixRT=hG2orEzZ2cG5O2zRV3ee4fy4ztw@mail.gmail.com>
Date: Mon, 05 May 2014 23:51:08 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <68C598E1-9409-4ED1-8907-4C9ECC34A03E@gmail.com>
References: <AD5AD8B0B070044BAD3C37D7057F37E153FE638D@szxeml513-mbx.china.huawei.com> <E1DF8B79-5C70-43EF-AA52-1F13F1A77C7B@gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE64F9@szxeml513-mbx.china.huawei.com> <CAPfd2wPyOgMAWGzwo2Aepxn09-_fvrMzBc=sTfLafbp+yWMSPg@mail.gmail.com> <357CC5D9-48D2-4E4E-BB2F-5F002FF824C8@gmail.com> <CAPfd2wOzdLGewUz5vHixRT=hG2orEzZ2cG5O2zRV3ee4fy4ztw@mail.gmail.com>
To: Ahmad Muhanna <asmuhanna@gmail.com>
X-Mailer: Apple Mail (2.1283)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/bnz8ykYBaJisYdr0DK3C0rdNFmk
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "kilian.weniger@googlemail.com" <kilian.weniger@googlemail.com>, Vijay Kumar <vjkumar2003@gmail.com>, vijay kn <vijay.kn@huawei.com>
Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 20:51:18 -0000

Ahmad,

I could be wrong but MOBIKE should technically allow the responder (SeGW here) to update the addresses in the IPsec SA. At least that is how I interpret the text in RFC4555 Section 3.5. Currently that is restricted to a single specific scenario, though (and this to work, would require SeGWs be able to share required SA information between each other using some mechanism).

- Jouni

On May 5, 2014, at 7:29 PM, Ahmad Muhanna wrote:

> Hello Jouni,
> 
> If my understanding is correct, MOBIKE allows the client to move its IKE tunnel from one SeGW to another based on Handover, for example. A multihoming IKE, if I may say.
> What Vijay is trying to address (at least this is my understanding) here is the scenario from the other end. When the SeGW is overloaded and would like to REDIRECT the client to another SeGW. The client won't know the condition at the SeGW and the SeGW is the one who initiates the proposed move.
> 
> Regards,
> Ahmad
> 
> 
> 
> On Mon, May 5, 2014 at 9:03 AM, Jouni <jouni.nospam@gmail.com> wrote:
> 
> Just a thought.. would MOBIKE be any use here? At least one would be able to move the SeGWs on fly (assuming the source and destination SeGW are able to share required information between each other).
> 
> - Jouni
> 
> On May 5, 2014, at 3:45 PM, Ahmad Muhanna wrote:
> 
> > Hi Vijay,
> >
> > Please see comments inline.
> >
> > On Mon, May 5, 2014 at 12:30 AM, vijay kn <vijay.kn@huawei.com> wrote:
> > Hi Ahmad,
> >
> > If you meant re-negotiating is IKEv2 rekey then it will not work because IKEv2 rekey will not send any IKE_SA_INIT packet. As of now, the RFC says that REDIRECT_SUPPORTED payload can be sent only in IKE_SA_INIT msg.
> >
> > OR
> >
> > If you meant re-negotiating is completely delete the current SA and re-negotiate the SA from scratch, this would lead to service loss/pkt loss.
> >
> >
> >
> > [Ahmad]
> > Yes. I meant the later.
> >
> > If we look at all scenarios that could be applicable to what you are trying to solve, one end of the IKE SA needs to be upgraded to support REDIRECTION. In my experience, that always happens in a controlled environment (i.e., a maintenance window). In addition, operators do this kind of activity very carefully and NOT globally; meaning, they upgrade a limited number of nodes at a time or during a specific period.
> >
> > The fact that the client and the SeGW -OR- the peers are from different vendors or even in different operator domains for the sake of making this more complex, it is always the case that when a new functionality is introduced, there is an expectation of service interruption.
> >
> > NOW: even if we allow this feature as part of this RFC, there is still no guarantee for the functionality to be successfully negotiated using the proposed solution. Because that will introduce another level of complexity and other backward compatibility scenarios that need to be considered when one of the peers support this functionality and the other does not.
> >
> > For example: what about if the SeGW support REDIRECTION as per RFC5685 but NOT by the newly introduced functionality (assuming that has been adopted). Although, the SeGW support REDIRECTION, but it would NOT be able to recognize and support this functionality. This means that it wont work but renegotiation of the IKE SA will still work.
> >
> > IMO, what you are trying to do is a completely new feature that is not in the scope of this RFC and that is why I said this RFC does not need to be updated or changed. I believe what you are trying to do is some kind of dynamic mechanism that allow one peer to check with the other peer on what kind of functionality it supports vs. what it does NOT support with some forward compatibility in mind.
> > That is totally and completely different than this RFC and can be applicable to many other scenarios and RFCs other than this one.
> >
> > I hope I am making sense.
> >
> > Regards,
> > Ahmad
> >
> >
> > Recommendation: -
> >
> > Since the base stations normally establish Tunnel with other vendor base stations and/or other vendor Gateways which may or may not support  REDIRECT, it is better to add this solution (client to send a new INFO msg with the REDIRECT_SUPPORTED notify payload) to enable a SMOOTH inter-op with other vendor implementations.
> >
> >
> >
> > Because of these reasons, I feel the RFC needs correction.
> >
> >
> >
> >
> >
> > From: Ahmad Muhanna [mailto:asmuhanna@gmail.com]
> > Sent: Sunday, May 04, 2014 9:41 PM
> > To: vijay kn
> > Cc: vijay@wichorus.com; kilian.weniger@googlemail.com; ipsec@ietf.org; vjkumar2003@gmail.com
> > Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
> >
> >
> >
> > Hi, Vijay,
> >
> >
> >
> > I am NOT one if the authors of this RFC but I recall the discussion and the use case. If I understand the scenario correctly, the client in this case (eNB) negotiated an IKE SA without indicating the ability to support REDIRECT. If that is the case, the client should renegotiate IKE SA after being upgraded to support this functionality. My understanding renegotiating IKE SA is supported.
> >
> >
> >
> > IMO, I do not think that anything in this RFC needs to be changed.
> >
> >
> > Regards,
> >
> > Ahmad Muhanna
> >
> >
> > On May 2, 2014, at 9:14 AM, vijay kn <vijay.kn@huawei.com> wrote:
> >
> > Hi,
> >
> > There is an issue in IKEv2 REDIRECT RFC 5685. In one scenario, the IKEv2 REDIRECT will not work indefinitely.
> >
> >
> >
> > Scenario: -
> >
> > Let’s assume there are about 1000 clients connected to a IKEv2 REDIRECT enabled SeGW. None of the clients were IKEv2 redirect enabled at the time of establishing SA with the SeGW (meaning they have not sent the REDIRECT_SUPPORTED notification in the
> >
> > IKE_SA_INIT message)
> >
> > This will lead to a situation where the SeGW is loaded and wanting to redirect some clients to another SeGW but it cannot REDIRECT them as none of them have indicated REDIRECT support in the IKE_SA_INIT message.
> >
> > If the user/operator enabled REDIRECT functionality dynamically (like after SAs were established), then the SeGW is not going to redirect them because it had not received a REDIRECT_SUPPORTED payload from the clients.
> >
> >
> >
> > Effect/Impact: -
> >
> > This leads to a congestion/overload at the gateway when the base stations connecting to the SeGW are several hundred/thousands in number. In the LTE and LTE-A scenarios, this condition is possible where the number of base stations connecting to the SeGW are very high.
> >
> >
> >
> > Suggestion/Solution: -
> >
> > A change is required in RFC 5685 is required as below: -
> >
> > “”Whenever the redirect feature/functionality is enabled at run-time, the client should indicate the same to the SeGW. This can be done by the client sending an INFORMATIONAL message  under the protection of the IKE SA. This message MUST have a REDIRECT_SUPPORTED notify payload to enable the SeGW to redirect them at run-time even though they had initially connected with SeGW without REDIRECT support””
> >
> >
> >
> > Request for comments: -
> >
> > Please read the problem, impact and solution listed above and let me know if any comments. Hope my point is valid and needs to be incorporated as the RFC update.
> >
> >
> >
> >
> >
> > Regards,
> >
> > Vijay N.
> >
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> >
> >
> >
> >
> > --
> > Regards,
> > Ahmad
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> 
> 
> 
> 
> -- 
> Regards,
> Ahmad

v2.23.0 | Report a Bug | By Email