IETF Logo Mail Archive

Re: [IPsec] I-D ACTION:draft-ietf-ipsecme-ikev2bis-10.txt

Yoav Nir <ynir@checkpoint.com> Thu, 22 April 2010 13:01 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8DC53A6ABB for <ipsec@core3.amsl.com>; Thu, 22 Apr 2010 06:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.916
X-Spam-Level:
X-Spam-Status: No, score=-2.916 tagged_above=-999 required=5 tests=[AWL=0.683, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3qEBnPTvIif for <ipsec@core3.amsl.com>; Thu, 22 Apr 2010 06:01:49 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 26DF33A686A for <ipsec@ietf.org>; Thu, 22 Apr 2010 06:01:22 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o3MD19ph022865; Thu, 22 Apr 2010 16:01:09 +0300 (IDT)
X-CheckPoint: {4BD0567B-0-1B201DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 22 Apr 2010 16:01:37 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: V Jyothi-B22245 <B22245@freescale.com>
Date: Thu, 22 Apr 2010 16:01:09 +0300
Thread-Topic: [IPsec] I-D ACTION:draft-ietf-ipsecme-ikev2bis-10.txt
Thread-Index: AcriG/EMiscZKmZaTQmJ9xaC6TXhyA==
Message-ID: <AC0411E1-4CE8-440C-8655-D44CAE797E30@checkpoint.com>
References: <20100414221506.0E8D23A6ABA@core3.amsl.com><402621A7D69DDA458D0E12F070D1E55F7D4853@zin33exm29.fsl.freescale.net> <19408.11864.296682.634981@fireball.kivinen.iki.fi> <402621A7D69DDA458D0E12F070D1E55F7D4883@zin33exm29.fsl.freescale.net>
In-Reply-To: <402621A7D69DDA458D0E12F070D1E55F7D4883@zin33exm29.fsl.freescale.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] I-D ACTION:draft-ietf-ipsecme-ikev2bis-10.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Apr 2010 13:01:50 -0000

Hi.

It's true that the standard is more geared to full implementations than those minimal implementations, but in this case there really is no solution.

The minimal implementation can delete the IKE SA that was created and start fresh with a single pair. But since the responder is also not fully-functional - it cannot handle complex selectors - there is no way that you can get to a state where you cover all the selectors in the initiator's policy. The responder requires multiple SAs, while the initiator requires just one for the same policy.


On Apr 22, 2010, at 3:42 PM, V Jyothi-B22245 wrote:

> Hi,
> 
> I find an issue in case of minimal implementations.
> Minimal implementations may not support CREATE_CHILD_SA exchanges, CHILD
> SA gets created as part of AUTH exchange.
> 
> In this case, if the responder sends SINGLE_PAIR_REQUIRED, minimal
> implementations cannot start CREATE_CHILD_SA exchange and minimal
> implementation should not establish IKE SA because CHILD SA is not yet
> established and it may not be right solution to maintain the
> SINGLE_PAIR_REQUIRED notify reception information to use it in new IKEv2
> exchange.
> Instead initiator can try sending AUTH request with single traffic
> selectors.
> 
> Thanks
> Jyothi
> 
> 
> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi] 
> Sent: Thursday, April 22, 2010 4:39 PM
> To: V Jyothi-B22245
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] I-D ACTION:draft-ietf-ipsecme-ikev2bis-10.txt
> 
> V Jyothi-B22245 writes:
>> Hi,
>> 
>> In section 2.9.  Traffic Selector Negotiation,
>> 
>> The SINGLE_PAIR_REQUIRED error indicates that a CREATE_CHILD_SA
>>   request is unacceptable because its sender is only willing to
> accept
>>   traffic selectors specifying a single pair of addresses.  The
>>   requestor is expected to respond by requesting an SA for only the
>>   specific traffic it is trying to forward.
>> 
>> Above paragraph gives the clarity of what action to take when 
>> SINGLE_PAIR_REQUIRED notify type received in case of CREATE_CHILD_SA 
>> exchanges.
>> 
>> Suppose if the SINGLE_PAIR_REQUIRED notify type is received in AUTH 
>> response, how initiator should act upon it?
>> Can initiator resend AUTH request with different TSi and TSr payloads 
>> or it should establish IKE SA and then start CREATE_CHILD_SA exchange?
> 
> It will establish IKE SA even when the Child SA creation failed.
> 
> What it does next depends on the implementation. Normal implementation
> will simply do CREATE_CHILD_SA with better traffic selectors, and create
> Child SA that way. Some implementation might simply mark the specific
> rule so that it requires exact traffic selectors, and wait for next
> packet hitting that rule before starting CREATE_CHILD_SA (this is needed
> if the first Child SA creation in the IKE_AUTH was done because of
> auto-start rule, i.e. there is no traffic yet, thus the initiator does
> not know the exact traffic selectors).
> --
> kivinen@iki.fi
> 
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email