Re: [IPsec] IPsec Digest, Vol 123, Issue 21
Yoav Nir <ynir.ietf@gmail.com> Tue, 19 August 2014 14:32 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDF581A033C for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 07:32:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ruZ-mylD7i4 for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 07:32:16 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 628A71A037E for <ipsec@ietf.org>; Tue, 19 Aug 2014 07:32:15 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id s7so5623141lbd.36 for <ipsec@ietf.org>; Tue, 19 Aug 2014 07:32:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=GYR8c/ZfFUGaldk/LA43/XpCsPvZJ2Gal2ZQg7qEf7M=; b=naSufhS1rK4mRzMlXXruR2KrdQ7wYg1z/CV5UqNwN5B3rtsQ401dt/Saa4iNipcuK6 Vrw9ngrO0QcuUjfSJtXwoL96oDlpouxMFLIpHupuqTfFWOAu5lZr82u9QeBBlPaCxwxm sMTCZ5K/m6xfW59sPJHv7hNHQd6gjerjT/VCwfRLR3RZ267Rdq3wSx9/Ql3Ehv7Utgfj iVMXzPh+N7Ve15QhHHy4sbNifYSRGHtqMozLOzkdDBNXCzARIDfjV2rkQIkUQQ2TExU6 LT1yc8ZdmECk9Ysw/8eW5tKMLMg3IVelsVLySqfM69kpDKlrqcTeenMHSeu3UH2/47Kv 2qng==
X-Received: by 10.112.173.136 with SMTP id bk8mr33218685lbc.88.1408458732500; Tue, 19 Aug 2014 07:32:12 -0700 (PDT)
Received: from [172.24.250.90] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id dq2sm32385962lbc.12.2014.08.19.07.32.11 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 07:32:11 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_F2FCC591-7E5F-413A-82AC-0E2467D93716"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <9852A873-1EEA-45EC-AEA3-BA654249A662@gmail.com>
Date: Tue, 19 Aug 2014 17:32:09 +0300
Message-Id: <E3D6D40E-FDFD-443E-BC11-81CF34A5F319@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi> <9852A873-1EEA-45EC-AEA3-BA654249A662@gmail.com>
To: Les Leposo <leposo@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/e37voAsaXFrrsbjUsN7nyP8MmME
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 14:32:19 -0000
On Aug 18, 2014, at 8:23 PM, Les Leposo <leposo@gmail.com> wrote: > > On Aug 18, 2014, at 5:44 PM, Tero Kivinen <kivinen@iki.fi> wrote: > >> Les Leposo writes: >>>> The iphone (which is only rumored to do IKEv2 with iOS8 likely to be >>>> released in September this year) currently has a >>>> terrible record of continuously re-establishing connections. Like >>>> whenever the screen saver hits it will tear down the tunnel. With >>>> an always-on profile, that means if I unblanc the screen, it will >>>> start a new IKE session. >>>> >>> ikev2 "session resumption" promised some improvements over ikev1 - >>> frankly that is part of the spec that needs to be 'MUST' and not >>> 'SHOULD', for all servers. >> >> You do not need session resumption for that. You just need properly >> done implementation. Unfortunately lots of IKEv2 implementations use >> dead peer detection as periodic keepalive messages, instead of just >> using it to verify whether the other end is alive or not. > >> >> If dead peer detection is implemented properly, as is described in the >> rfc5996, the device can safely go to sleep if there is no traffic >> going between the client and server, and when it wakes up from the >> sleep the IKEv2 connection will still be there, and the other end has >> not teared down the IKE SA (provided there was nothing that would have >> caused it to try to send traffic to the sleeping node). >> >> Unfortunately lots of devices send dead peer messages all the time >> every n seconds, and if device is sleeping during that time, they will >> tear down the IKE SA. This is broken implementation, not problem in >> the protocol. >> >> Yes, session resumption is even better, as it will allow telling the >> other end, that don't even bother trying to send to me anything, I am >> sleeping, but quite a lot can also be done if the implementations are >> done properly. >> > > have you overlooked the issue of nat mappings? > > ipsec nat keepalives are very useful for keeping nat mappings alive, and in a world full of all sorts of nat devices (some behaving reliably and others not), one would have to use low keepalive interval... like 10-60s. > > Now, today's client devices need to be energy efficient - so the device sleeps/hibernates to save battery. > Sleeping past the nat keepalives is bound to happen (either by design or error). > At some point the device will wake from sleep and need to test reachability using dpd. > > And in some cases (if the sleep was more than a certain threshold), rather than wait for dpd to failover, the choice is to go for rekey. It depends which standards you’ve implemented. If you’ve implemented QCD (RFC 6290), then DPD fails or succeeds immediately as long as you have connectivity, and it doesn’t make sense to go directly to a new Initial exchange. AFAIK racoon doesn’t have that. Maybe it has session tickets, which make the Initial exchange lighter. Of course, wiping all state every time you blank the screen is (if true) a very weird implementation choice. Yoav
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Paul Wouters
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Yoav Nir
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Tero Kivinen
- Re: [IPsec] IPsec Digest, Vol 123, Issue 21 Les Leposo