IETF Logo Mail Archive

Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)

Ahmad Muhanna <asmuhanna@gmail.com> Tue, 06 May 2014 04:18 UTC

Return-Path: <asmuhanna@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2E91A0103 for <ipsec@ietfa.amsl.com>; Mon, 5 May 2014 21:18:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcHs_oW8AEcR for <ipsec@ietfa.amsl.com>; Mon, 5 May 2014 21:18:17 -0700 (PDT)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id E724A1A0148 for <ipsec@ietf.org>; Mon, 5 May 2014 21:18:16 -0700 (PDT)
Received: by mail-ie0-f181.google.com with SMTP id y20so9199609ier.40 for <ipsec@ietf.org>; Mon, 05 May 2014 21:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3BymQ/p+QZYZCb2NDTPN3ugs5Qo3z5Zzd2b/n6mjeAU=; b=UJ8ap0BV0fcAfsqBajbveUW8LEvaiq2yu5N2A1BNGXd7pqaZooPkXyWlyrt8eflMDI kLZaNUqlMpCudUSqawKbYMXcvekV/F2TtV+U+gXSJwgJUc6D35keaFLCbGasYybuhNx6 Mzac5ATz0TXY+U9Bv0f6xzwB1riP5OLF4YiycK7VwN+ydqhQDN2Bq8fZQDMTEBH/4fDi T6tzR//PYmvs+REHhs2QdhaIdg66F2rTeEkK9+fZlaxbKWkN8uMo7WNrrbxQK63h39wC cP6qY7ZqoSEunRlJ0kLz4XXKRvp+7j8BKSRXZf+H/clSzfNICvcA3IN9q0jmTPrrksVa S3Kg==
X-Received: by 10.42.224.194 with SMTP id ip2mr63606icb.91.1399349893234; Mon, 05 May 2014 21:18:13 -0700 (PDT)
Received: from [192.168.1.101] (adsl-99-30-174-168.dsl.sfldmi.sbcglobal.net. [99.30.174.168]) by mx.google.com with ESMTPSA id s1sm34286038igr.14.2014.05.05.21.18.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 05 May 2014 21:18:12 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-85229675-9519-429A-8243-EF359B70B9A9"
Mime-Version: 1.0 (1.0)
From: Ahmad Muhanna <asmuhanna@gmail.com>
X-Mailer: iPhone Mail (11D201)
In-Reply-To: <AD5AD8B0B070044BAD3C37D7057F37E153FE65DB@szxeml513-mbx.china.huawei.com>
Date: Mon, 05 May 2014 23:18:11 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <15950B41-4A0C-420C-819A-30F77790555E@gmail.com>
References: <AD5AD8B0B070044BAD3C37D7057F37E153FE638D@szxeml513-mbx.china.huawei.com> <E1DF8B79-5C70-43EF-AA52-1F13F1A77C7B@gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE64F9@szxeml513-mbx.china.huawei.com> <CF8D08A7.5371E%praveenys@juniper.net> <CAPfd2wMf4WymBeVWJ9=4vMVRW_-0kLytmXahyhBTuh+xUe_LdQ@mail.gmail.com> <AD5AD8B0B070044BAD3C37D7057F37E153FE65DB@szxeml513-mbx.china.huawei.com>
To: vijay kn <vijay.kn@huawei.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/g4roReRqdWsWtrwOZt32ILsFn_c
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "vijay@wichorus.com" <vijay@wichorus.com>, "kilian.weniger@googlemail.com" <kilian.weniger@googlemail.com>, Praveen Sathyanarayan <praveenys@juniper.net>, "vjkumar2003@gmail.com" <vjkumar2003@gmail.com>
Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 04:18:19 -0000

Hello Vijay,

No one is trying to deviate from the original topic. Let me try to address what you just mentioned one more time.

You just mentioned that some vendors do not support Reauth. But let me remind you; no vendor is supporting what you are proposing now. How that becomes an argument.

On the other hand, I provided you with an example that your proposal will NOT solve; while the SeGW even support REDIRECTION as per RFC5685 already; you some how chose to ignore it. Here is the text for the reminder:
"
For example: what about if the SeGW support REDIRECTION as per RFC5685 but NOT by the newly introduced functionality (assuming that has been adopted). Although, the SeGW support REDIRECTION, but it would NOT be able to recognize and support this functionality. This means that it wont work but renegotiation of the IKE SA will still work.
"

Regards,
Ahmad

> On May 5, 2014, at 10:45 PM, vijay kn <vijay.kn@huawei.com> wrote:
> 
> Praveen/Ahmad,
> Some vendors don’t support Reauth. In this case what to do?
> I think we are slightly deviating from our original topic.
> Why to do reauth which is an expensive operation when you can just intimate the SeGW that u support redirect via an INFO msg.
>  
>  
> Thanks.
>  
> From: Ahmad Muhanna [mailto:asmuhanna@gmail.com] 
> Sent: Monday, May 05, 2014 10:48 PM
> To: Praveen Sathyanarayan
> Cc: vijay kn; ipsec@ietf.org; vijay@wichorus.com; kilian.weniger@googlemail.com; vjkumar2003@gmail.com
> Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
>  
> Thanks Praveen for pointing that out.
>  
> That what I initially had in mind but got distracted by the notion that it may cause service disruption without double checking RFC5996.
> I believe Re-authentication is the solution for this issue without causing any service disruption. Although, service disruption is imminent in case of upgrade anyway.
>  
> Regards,
> Ahmad
>  
> 
> On Mon, May 5, 2014 at 12:05 PM, Praveen Sathyanarayan <praveenys@juniper.net> wrote:
> Why not trigger Re-authentication from base station, when upgraded/REDIRECT enabled in config?
>  
> RFC 5996:
>  
>    Reauthentication is done by creating a new IKE SA from scratch (using
>    IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA Notify
>    payloads), creating new Child SAs within the new IKE SA (without
>    REKEY_SA Notify payloads), and finally deleting the old IKE SA (which
>    deletes the old Child SAs as well).
>  
> Thanks,
> Praveen
>  
> From: vijay kn <vijay.kn@huawei.com>
> Date: Sunday, May 4, 2014 at 10:30 PM
> To: Ahmad Muhanna <asmuhanna@gmail.com>
> Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "vijay@wichorus.com" <vijay@wichorus.com>, "kilian.weniger@googlemail.com" <kilian.weniger@googlemail.com>, "vjkumar2003@gmail.com" <vjkumar2003@gmail.com>
> Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
>  
> Hi Ahmad,
> If you meant re-negotiating is IKEv2 rekey then it will not work because IKEv2 rekey will not send any IKE_SA_INIT packet. As of now, the RFC says that REDIRECT_SUPPORTED payload can be sent only in IKE_SA_INIT msg.
> OR
> If you meant re-negotiating is completely delete the current SA and re-negotiate the SA from scratch, this would lead to service loss/pkt loss.
>  
> Recommendation: -
> Since the base stations normally establish Tunnel with other vendor base stations and/or other vendor Gateways which may or may not support  REDIRECT, it is better to add this solution (client to send a new INFO msg with the REDIRECT_SUPPORTED notify payload) to enable a SMOOTH inter-op with other vendor implementations.
>  
> Because of these reasons, I feel the RFC needs correction.
>  
>  
> From: Ahmad Muhanna [mailto:asmuhanna@gmail.com] 
> Sent: Sunday, May 04, 2014 9:41 PM
> To: vijay kn
> Cc: vijay@wichorus.com; kilian.weniger@googlemail.com; ipsec@ietf.org;  vjkumar2003@gmail.com
> Subject: Re: [IPsec] Regarding IKEv2 REDIRECT problem (reference RFC 5685)
>  
> Hi, Vijay, 
>  
> I am NOT one if the authors of this RFC but I recall the discussion and the use case. If I understand the scenario correctly, the client in this case (eNB) negotiated an IKE SA without indicating the ability to support REDIRECT. If that is the case, the client should renegotiate IKE SA after being upgraded to support this functionality. My understanding renegotiating IKE SA is supported.
>  
> IMO, I do not think that anything in this RFC needs to be changed.
> 
> Regards,
> Ahmad Muhanna 
> 
> On May 2, 2014, at 9:14 AM, vijay kn <vijay.kn@huawei.com> wrote:
> 
> Hi,
> There is an issue in IKEv2 REDIRECT RFC 5685. In one scenario, the IKEv2 REDIRECT will not work indefinitely.
>  
> Scenario: -
> Let’s assume there are about 1000 clients connected to a IKEv2 REDIRECT enabled SeGW. None of the clients were IKEv2 redirect enabled at the time of establishing SA with the SeGW (meaning they have not sent the REDIRECT_SUPPORTED notification in the
> IKE_SA_INIT message)
> This will lead to a situation where the SeGW is loaded and wanting to redirect some clients to another SeGW but it cannot REDIRECT them as none of them have indicated REDIRECT support in the IKE_SA_INIT message.
> If the user/operator enabled REDIRECT functionality dynamically (like after SAs were established), then the SeGW is not going to redirect them because it had not received a REDIRECT_SUPPORTED payload from the clients.
>  
> Effect/Impact: -
> This leads to a congestion/overload at the gateway when the base stations connecting to the SeGW are several hundred/thousands in number. In the LTE and LTE-A scenarios, this condition is possible where the number of base stations connecting to the SeGW are very high.
>  
> Suggestion/Solution: -
> A change is required in RFC 5685 is required as below: -
> “”Whenever the redirect feature/functionality is enabled at run-time, the client should indicate the same to the SeGW. This can be done by the client sending an INFORMATIONAL message  under the protection of the IKE SA. This message MUST have a REDIRECT_SUPPORTED notify payload to enable the SeGW to redirect them at run-time even though they had initially connected with SeGW without REDIRECT support””
>  
> Request for comments: -
> Please read the problem, impact and solution listed above and let me know if any comments. Hope my point is valid and needs to be incorporated as the RFC update.
>  
>  
> Regards,
> Vijay N.
>  
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> 
>  
> --
> Regards,
> Ahmad

v2.23.0 | Report a Bug | By Email