Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha-protocol-00.txt
Raj Singh <rsjenwar@gmail.com> Mon, 06 September 2010 17:10 UTC
Return-Path: <rsjenwar@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27F643A68F6 for <ipsec@core3.amsl.com>; Mon, 6 Sep 2010 10:10:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2K4T7AIFt1F3 for <ipsec@core3.amsl.com>; Mon, 6 Sep 2010 10:10:56 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by core3.amsl.com (Postfix) with ESMTP id ED8073A68CF for <ipsec@ietf.org>; Mon, 6 Sep 2010 10:10:55 -0700 (PDT)
Received: by ywk9 with SMTP id 9so2085702ywk.31 for <ipsec@ietf.org>; Mon, 06 Sep 2010 10:11:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:reply-to :in-reply-to:references:date:message-id:subject:from:to:cc :content-type; bh=jFyHnfDVsTRaPQRqMDBSKejHfZRpKhUhUjlNpP+u1DY=; b=jGEANGQG1Z+AhMsAbw5u/pQBym//keyGYSD91X7COFk+gTiNBrt8BmKyOSPZnyyeQ4 AFIi3DDtkQqTDPuJH1X/z6uhR2xnQJRgLxeTEAOqcvRZ4IbjGrEDQRYljAyI/bU7TXug oj83O+0zQvcwxwispUV8hFVC8oXWrR1odhpxI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; b=B7cIlOx6fYQ37zb6M6qxxQxiyR1WzasEsrHdYrGNr4BcHTCi+mmA5PZ53X114CFicz 4R2TUkC2qBy+McF4AYRnl9ILQuhCipDSXzWW1jBgwjX7KrAcqKMj1US8qT2b1+devpIz /zAab5Lf7KJbA5EADIA9heD30/NupMHqqd2Hc=
MIME-Version: 1.0
Received: by 10.100.122.15 with SMTP id u15mr1712904anc.98.1283793084160; Mon, 06 Sep 2010 10:11:24 -0700 (PDT)
Received: by 10.42.7.198 with HTTP; Mon, 6 Sep 2010 10:11:24 -0700 (PDT)
In-Reply-To: <Pine.NEB.4.64.1009060634140.12204@otaku.Xtrmntr.org>
References: <20100906031510.557ED3A6863@core3.amsl.com> <Pine.NEB.4.64.1009060634140.12204@otaku.Xtrmntr.org>
Date: Mon, 06 Sep 2010 22:41:24 +0530
Message-ID: <AANLkTim=S_TVvQoy-Oh4WuiwLX22qQjNA9WBST4FZhYQ@mail.gmail.com>
From: Raj Singh <rsjenwar@gmail.com>
To: Pekka Riikonen <priikone@iki.fi>
Content-Type: multipart/alternative; boundary="0016e644df52bf1cac048f9a5ee9"
Cc: ipsec@ietf.org
Subject: Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha-protocol-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: RSJenwar@gmail.com
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Sep 2010 17:10:59 -0000
Hi Pekka, Thanks for your comments. Please find my reply inline. Best Regards, Raj On Mon, Sep 6, 2010 at 11:13 AM, Pekka Riikonen <priikone@iki.fi> wrote: > > From the draft: > > There were some concerns about the current window sync process. The > concern was to make IKEv2 window sync optional but we beleive IKEv2 > window sync will be mandatory. > > The IKEv2 message id sync is definitely mandatory, but the IPSEC SA seqno > sync IMHO isn't. Although, none of this would be an issue if IKEv2 would > allow initiator to move the window forward freely (that would be real > "fix"). > > The IPsec SA replay counter sync is required for these reasons: 1. In cluster environment, IPsec SA reply counter will get get updated from active to standby in periodic manner. Suppose, we sync IPsec reply counter for every 1,000 IPsec packets and last sync happened at 30,000. So, the next sync will happen 31,000. Now, say failover happened at 30, 500. So, standby member becomes active, and it start using IPsec replay counter from 30, 000. It will be considered as Replay Attack and SA has to be destroyed. This applies to both outbound and inbound replay counters. So, IPsec replay counter sync is required as it mitigate the these attacks. 2. Another option is doing IPsec Rekey after failover. Now consider a scenario where gateways has thousands of SA. and after failover, we are doing IPsec rekey for them. The gateway will be so much loaded. If we follow IPsec replay counter sync mechanism, we can sync many IPsec SA with single sync message. So, if replay attack and load on server is OK, this option is not required. I'm not sure if any of the following should be mentioned in the draft: > > - Multiple failovers. In a cluster with three or more nodes, it's > possible that failovers happen in rapid succession. The protocol and the > implementation must be able to handle new failover even if they are still > processing the old failover (for example doing the IPSEC SA seqno sync, > which, if we leave it in, can take time). I see no reason why the > protocol wouldn't allow for this, but implementations must make sure they > can handle it. > > Very interesting point! Opened a ticket for it. http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/196 - Simultaneous failover at both ends. If failover happens at the same > time in both ends, implementations must be able to handle situation where > they receive SYNC_SA_COUNTER_INFO request before they receive response to > their own request (they may receive the response only after > retransmission). > > I don't think we have any solution for this and any solution is possible (?). This basically means that both sides has lost the SA. So we have to establish SA from scratch. This draft assumes, that both side has the SA and their message windows has mis-matched. > - Should there be way to negotiate support for IKE SA window sync but not > for IPSEC SA sync? Currently by sending SYNC_SA_COUNTER_INFO_SUPPORTED > you agree to support both, which can mean you may receive the IPSEC SA > syncs. > > This is very much possible and we can have flag for IPsec SA sync in SYNC_SA_COUNTER_INFO_SUPPORTED notify payload. If that flag can be TRUE if we support IPsec SA sync, else we support only IKEv2 SA sync. More discussion on this will be interesting. > There's also still bunch of typos in the draft. > > Pekka > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha-pro… Internet-Drafts
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Pekka Riikonen
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Raj Singh
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Pekka Riikonen
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Tero Kivinen
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Tero Kivinen
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Tero Kivinen
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Pekka Riikonen
- Re: [IPsec] I-D Action:draft-ietf-ipsecme-ipsecha… Pekka Riikonen