RE: AggressiveMode issue
Roy Pereira <rpereira@TimeStep.com> Mon, 27 April 1998 17:41 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id NAA13574 for ipsec-outgoing; Mon, 27 Apr 1998 13:41:57 -0400 (EDT)
Message-ID: <319A1C5F94C8D11192DE00805FBBADDF063636@exchange.timestep.com.219.168.192.in-addr.arpa>
From: Roy Pereira <rpereira@TimeStep.com>
To: Tero Kivinen <kivinen@ssh.fi>
Cc: ipsec@tis.com
Subject: RE: AggressiveMode issue
Date: Mon, 27 Apr 1998 13:43:00 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
The problem with this approach is that an implementation would have to hold every ISAKMP message sent in a retransmission buffer. That is quite costly for a security gateway handling thousands of connections. Perhaps a better way is to use the COMMIT bit to require a NOTIFY-CONNECT message to be sent the the responder, then proceeding with the QuickMode exchange? > -----Original Message----- > From: Tero Kivinen [mailto:kivinen@ssh.fi] > Sent: Monday, April 27, 1998 11:09 AM > To: Roy Pereira > Cc: ipsec@tis.com > Subject: AggressiveMode issue > > > Roy Pereira writes: > > Not to delay the documents, but I have a question about > Aggressive Mode; > > > > When the Initiator sends out the third phase 1 message, how > does he know > > that the responder received it so that he can start the Quick Mode > > exchange? > > > > Initiator Responder > > --------- --------- > > > > MainMode: > ^^^^^^^^ > I assume this should be aggressive mode... > > > 1 HDR, SA, KE, Ni, IDii --> > > 2 <-- HDR, SA, KE, Nr, IDir, HASH_R > > 3 HDR, HASH_I --> > > > > QuickMode: > > 1 HDR*, HASH(1), SA, Ni --> > > 2 <-- HDR*, HASH(2), SA, Nr > > 3 HDR*, HASH(3) --> > > > > The problem is that the responder might not get MM3 or that > he might get > > QM1 before he gets MM3. > > If the AG3 is lost and the initiator starts quick mode immediately, > the responder will just silently drop the first quick mode packet. > After some time the responder notices that it hasn't received the last > aggressive mode packet and retrasmits its seconds packet (AG2), and > when the initiator receives that it retrasmits its final packet (AG3). > > The initiator also keeps retrasmitting the QM1 packet until the > responder replies. > > So the exchange is like this: > > Initiator Responder > --------- --------- > AG1 HDR, SA, KE, Ni, IDii --> > AG2 <-- HDR, SA, KE, Nr, IDir, HASH_R > AG3 HDR, HASH_I -->| (this packet is lost) > > QM1 HDR*, HASH(1), SA, Ni --> (responder drops this) > > (responder times out and retrasmits) > AG2b <-- HDR, SA, KE, Nr, IDir, HASH_R > > (Initiator notices retransmit and retransmits its last packet > > AG3b HDR, HASH_I --> > (aggressive mode done, > phase I done). > > (Initiators quick mode times out and it retransmits the packet) > QM1b HDR*, HASH(1), SA, Ni --> > QM2 <-- HDR*, HASH(2), SA, Nr > QM3 HDR*, HASH(3) --> > > (quick mode exchange done, phase II done). > -- > kivinen@iki.fi Work : +358-9-4354 3218 > SSH Communication Security http://www.ssh.fi/ > SSH IPSEC Toolkit http://www.ssh.fi/ipsec/ >
- AggressiveMode issue Roy Pereira
- AggressiveMode issue Tero Kivinen
- RE: AggressiveMode issue Roy Pereira
- RE: AggressiveMode issue Tero Kivinen
- RE: AggressiveMode issue pau