Re: [IPsec] Another round of IKEv2-bis issues

Tero Kivinen <kivinen@iki.fi> Fri, 23 April 2010 13:06 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DE2023A6AB2 for <ipsec@core3.amsl.com>; Fri, 23 Apr 2010 06:06:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.125
X-Spam-Level:
X-Spam-Status: No, score=-2.125 tagged_above=-999 required=5 tests=[AWL=0.474, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSRUbzw8H013 for <ipsec@core3.amsl.com>; Fri, 23 Apr 2010 06:06:12 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id DEE8C3A6852 for <ipsec@ietf.org>; Fri, 23 Apr 2010 05:50:02 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3NCnmMO000637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 Apr 2010 15:49:48 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3NCnk67025530; Fri, 23 Apr 2010 15:49:46 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19409.38762.719146.5305@fireball.kivinen.iki.fi>
Date: Fri, 23 Apr 2010 15:49:46 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: David Wierbowski <wierbows@us.ibm.com>
In-Reply-To: <OF07C3799E.286E8226-ON8525770D.00754FB1-8525770D.00766EAC@us.ibm.com>
References: <006FEB08D9C6444AB014105C9AEB133FB37650C568@il-ex01.ad.checkpoint.com> <19389.52595.209726.960078@fireball.kivinen.iki.fi> <OF6AD2BFF8.4EBFBC83-ON852576FF.0050D170-852576FF.0054E2E4@us.ibm.com> <19400.25514.92364.300616@fireball.kivinen.iki.fi> <OF07C3799E.286E8226-ON8525770D.00754FB1-8525770D.00766EAC@us.ibm.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 5 min
X-Total-Time: 4 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Another round of IKEv2-bis issues
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2010 13:06:13 -0000

David Wierbowski writes:
> I don't think we need to mandate how a particular situation should be
> handled.  That is up to the implementer.  The implementer just needs to
> know that there is a rule that states the it is not for some child SAs
> stay up when the IKE_SA disappears.  I think the existing text could be
> deleted.

But the existing text is the text which gives this rule or at least
try to. I.e. it tries to say that if implementation cannot guarantee
that all Child SAs and IKE SAs stay up together, then you cannot
negotiate all those Child SAs using the same IKE SA.

This same can partially be seen from the:

  Receipt of a fresh cryptographically protected message on an IKE SA
  or any of its Child SAs ensures liveness of the IKE SA and all of
  its Child SAs.

text, but some people might be missing the point that ALL Child SAs
and corresponding IKE SAs must stay up together.
-- 
kivinen@iki.fi