IETF Logo Mail Archive

Re: [IPsec] Another round of IKEv2-bis issues

Tero Kivinen <kivinen@iki.fi> Mon, 26 April 2010 11:20 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 908503A6B71 for <ipsec@core3.amsl.com>; Mon, 26 Apr 2010 04:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.868
X-Spam-Level:
X-Spam-Status: No, score=-0.868 tagged_above=-999 required=5 tests=[AWL=-0.869, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ukk8sAozKMT7 for <ipsec@core3.amsl.com>; Mon, 26 Apr 2010 04:19:58 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id EE73E3A6994 for <ipsec@ietf.org>; Mon, 26 Apr 2010 04:19:52 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o3QBJYdi019374 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 26 Apr 2010 14:19:34 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o3QBJXvk019632; Mon, 26 Apr 2010 14:19:33 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19413.30405.5158.838402@fireball.kivinen.iki.fi>
Date: Mon, 26 Apr 2010 14:19:33 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: David Wierbowski <wierbows@us.ibm.com>
In-Reply-To: <OF2C6B98B2.0772F8F1-ON0025770E.004890F9-8525770E.004E35FE@us.ibm.com>
References: <006FEB08D9C6444AB014105C9AEB133FB37650C568@il-ex01.ad.checkpoint.com> <19389.52595.209726.960078@fireball.kivinen.iki.fi> <OF6AD2BFF8.4EBFBC83-ON852576FF.0050D170-852576FF.0054E2E4@us.ibm.com> <19400.25514.92364.300616@fireball.kivinen.iki.fi> <OF07C3799E.286E8226-ON8525770D.00754FB1-8525770D.00766EAC@us.ibm.com> <19409.38762.719146.5305@fireball.kivinen.iki.fi> <OF2C6B98B2.0772F8F1-ON0025770E.004890F9-8525770E.004E35FE@us.ibm.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 5 min
X-Total-Time: 4 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Another round of IKEv2-bis issues
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2010 11:20:00 -0000

David Wierbowski writes:
> What I do not like about the text is that it is a rule related to the
> life of the Child SAs.  I think it would be clearer to tie the rule
> to the termination of the IKE SA.  For example I think replacing the
> text with some thing like the following is more straight forward:
> 
> If an IKE SA fails without being able to send a delete
> message, then all Child SAs created by the IKE SA MUST be silently
> deleted.

Do you think it is legal to create a system where one Child SA can
fail in such way that IKE SA cannot send delete notification?

The current text says it is not legal, but your replacement text
allows it.

I do not think such setup should be allowed. I.e. if any of the Child
SAs or the associated IKE SA fail, in such way that delete
notification cannot be sent, then all the Child SAs AND the IKE SA
needs to be destroyed. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email