IETF Logo Mail Archive

[IPsec] Regarding ISAKMP SA lifetime negotiation.

"Anoop V A (anova)" <anova@cisco.com> Mon, 04 March 2013 13:58 UTC

Return-Path: <anova@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF6421F8A8B for <ipsec@ietfa.amsl.com>; Mon, 4 Mar 2013 05:58:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.998
X-Spam-Level:
X-Spam-Status: No, score=-9.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_25=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WM5KOcT+yJTv for <ipsec@ietfa.amsl.com>; Mon, 4 Mar 2013 05:58:00 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 0BF4021F8A8A for <ipsec@ietf.org>; Mon, 4 Mar 2013 05:57:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7194; q=dns/txt; s=iport; t=1362405480; x=1363615080; h=from:to:subject:date:message-id:mime-version; bh=Ce5mVdWDOIgko35Ai4YvTwtx7VD72bK6iBniZM+GbIw=; b=fq+IdhQEPA0kTxKh/Okn+6BHECEqU3h1/tf3RPKNn9cZfl8c4rQaMSQr cl6EDE8chP8bgNTOtKFGTq2u7bZr+taWvEHn/ks8uc+XWiMtRdDty0QO7 V1R50JL8za352pw6TzULbcMJiK5zYpj+H8B3eK2f97r/EFqhFzqb1ahpL g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFAM+mNFGtJV2b/2dsb2JhbABFgkPACoEBFnOCIQEELT4gASpWJgEEChERh3qmbKBHjlyDF2EDpzKDCIIn
X-IronPort-AV: E=Sophos; i="4.84,779,1355097600"; d="scan'208,217"; a="183447025"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-5.cisco.com with ESMTP; 04 Mar 2013 13:57:59 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r24Dvxmk027830 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <ipsec@ietf.org>; Mon, 4 Mar 2013 13:57:59 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.112]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.02.0318.004; Mon, 4 Mar 2013 07:57:59 -0600
From: "Anoop V A (anova)" <anova@cisco.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Regarding ISAKMP SA lifetime negotiation.
Thread-Index: Ac4Y4ESuGmhSbq0+TBy5np9wzLbTAQ==
Date: Mon, 04 Mar 2013 13:57:58 +0000
Message-ID: <0E86FFD429E5FA4A97B86698F6C32AF81C271A91@xmb-rcd-x04.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.64.59]
Content-Type: multipart/alternative; boundary="_000_0E86FFD429E5FA4A97B86698F6C32AF81C271A91xmbrcdx04ciscoc_"
MIME-Version: 1.0
Subject: [IPsec] Regarding ISAKMP SA lifetime negotiation.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2013 13:58:01 -0000

Hello experts,

   I have a generic doubt regarding the ISAKMP SA(phase 1) life time negotiation. My  query is can we agree up on the  ISAKMP life time in the first two messages of MM or AM.

What I want to know is  - the life time is sent as an proposal attribute in the first two messages of Main mode and aggressive mode. We are not negotiating the parameter so if the responder is having a less life time value configured - then can we transfer this info in the MM2 or AM2 message from the responder along with the negotiated proposal attributes. Basically I am trying to change the life time attribute sent by the initiator - in this scenario.

We have the responder life time notify mechanism as per the draft (draft-ietf-ipsec-ike-lifetime-00), but the separate notify messages are not reliable in IKEv1(Uni directional)

In short my questions are:


1.       Can we send the responder life time notification in MM6 or AM2 message from the responder?

2.       Or can we alter the life time attribute of the ISAKMP SA proposal offer?( Is this considers as  a violation of the RFC)

Thanks
Anoop

v2.23.0 | Report a Bug | By Email