Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 14 January 2011 08:45 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFF433A6C5B for <ipsec@core3.amsl.com>; Fri, 14 Jan 2011 00:45:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10kePJpvQywE for <ipsec@core3.amsl.com>; Fri, 14 Jan 2011 00:45:27 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 00F6D3A6C5A for <ipsec@ietf.org>; Fri, 14 Jan 2011 00:45:26 -0800 (PST)
Received: by wyf23 with SMTP id 23so2699475wyf.31 for <ipsec@ietf.org>; Fri, 14 Jan 2011 00:47:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=X77dv1FjxVZRPQ18qEXy3muxH2Fh8cfjUbiqB2/G8Rs=; b=xgqOuzuyBIhliNw42CYgiAF8/1LTniKn6Ln9aKdWTl1LDaz6wIVwguIzwe9WsAGPoy 4Vik+5Accmxo4j5ZtM2YC66EdXO2td2NbxGLEvTFWMrz55jDais9Fe8O0aUPkcJI2Vcx mEvHxeMjyvCVFVTCpUevdrLEzXuQk7CqO434s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; b=s259Y4VuMdt2hW1NHUZvIC5s23w6CjVpEiP5uXnfgxiN84BdN9UpvMwYz8GUvj6Zbz 3HYFvr0EWuKd0QzDGWKjJ8nAEIwak/1GUYU7TOZ23HFJxTrWWZ0OUtrOZqAYrizg9o4U F25cQQRotHWsbHTZEljK+panxsF+tMFY9Q2EU=
Received: by 10.227.144.7 with SMTP id x7mr428340wbu.115.1294994870054; Fri, 14 Jan 2011 00:47:50 -0800 (PST)
Received: from [10.0.0.4] ([109.67.17.212]) by mx.google.com with ESMTPS id 11sm725910wbj.1.2011.01.14.00.47.47 (version=SSLv3 cipher=RC4-MD5); Fri, 14 Jan 2011 00:47:49 -0800 (PST)
Message-ID: <4D300DA7.2010003@gmail.com>
Date: Fri, 14 Jan 2011 10:47:35 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Keith Welter <welterk@us.ibm.com>
References: <OF83382F06.D21E6F23-ON88257816.0070A15A-88257816.0070D005@us.ibm.com> <OF042D8DC8.64349015-ON88257816.0073DD1F-88257816.00754261@us.ibm.com>
In-Reply-To: <OF042D8DC8.64349015-ON88257816.0073DD1F-88257816.00754261@us.ibm.com>
Content-Type: multipart/alternative; boundary="------------080800070707010300080102"
Cc: ipsec@ietf.org
Subject: Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2011 08:45:28 -0000
Hi Keith, I think this version makes a lot of sense. A few comments: * I don't like the asymmetrical nature of the notification, which implies that only the original initiator can initiate the second IKE_AUTH. There may be cases when the responder would like to reauthenticate (e.g. mutual EAP with passwords). So I suggest to have both peers send the notification if they support this extension. * Please say explicitly whether/how this extension interacts with RFC 6023: can the reauthenticated IKE SA be childless? * The introduction mentions three problems. Please add text somewhere on how they are solved by this proposal. * Typo in Sec. 4: "MUST be the same as the as the SPIs". Thanks, Yaron On 12/01/2011 23:20, Keith Welter wrote: > > In the thread "Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-00", Yoav > proposed: > "having an IKE_AUTH exchange in the middle of the IKE SA lifetime. > Suppose the IKE SA has been around for a couple of hours, and has been > used for creating some child SAs, why not keep it and just pass one or > more IKE_AUTH exchanges?" > > draft-welter-ipsecme-ikev2-reauth-01 specifies this alternative design. > > To refresh everyone's memory on the problems that the draft aims to > solve, I'll include the introductory text from the new version of the > draft here: > > "IKE SA reauthentication as defined in [IKEv2] is accomplished by > creating a new IKE SA, creating new Child SAs, and deleting the old > IKE SA. Assuming that the old IKE SA has n Child SAs, > reauthentication as defined in [IKEv2] requires at least n+1 message > exchanges. This style of reauthentication does not scale well when n > is large. The extension described in this document allows > reauthentication of an IKE SA using a single IKE_AUTH exchange on the > IKE SA to be reauthenticated without creating a new IKE SA or new > Child SAs. The terms IKEv2, IKEv2 SA, and Child SA and the various > IKEv2 exchanges are defined in [IKEv2] > > Other problems with IKE SA reauthentication as defined in [IKEv2] > include: > > o Simultaneous IKE SA reauthentication may result in redundant SAs. > > o Child SAs for which an internal address was assigned using the > Configuration Payload may experience a connection disruption for > reassignment of an internal address. > > o While [IKEv2] describes how to handle exchange collisions that > may occur during IKE SA rekeying, it does not do so for exchange > collisions that may occur during reauthentication which could inhibit > interoperability in such cases." > > Please share your comments on draft-welter-ipsecme-ikev2-reauth-01. > > Thanks, > > Keith Welter > IBM z/OS Communications Server Developer > 1-415-545-2694 (T/L: 473-2694) > > > ipsec-bounces@ietf.org wrote on 01/12/2011 12:32:07 PM: > > > [image removed] > > > > [IPsec] draft-welter-ipsecme-ikev2-reauth-01 > > > > Keith Welter > > > > to: > > > > ipsec > > > > 01/12/2011 12:36 PM > > > > Sent by: > > > > ipsec-bounces@ietf.org > > > > > > A new version of I-D, draft-welter-ipsecme-ikev2-reauth-01.txt has > > been successfully submitted by Keith Welter and posted to the IETF > repository. > > > > Filename: draft-welter-ipsecme-ikev2-reauth > > Revision: 01 > > Title: Reauthentication Extension > for IKEv2 > > Creation_date: 2011-01-12 > > WG ID: Independent Submission > > Number_of_pages: 6 > > > > Abstract: > > This document describes an extension to the Internet Key Exchange > > version 2 (IKEv2) protocol that allows an IKEv2 Security Association > > (SA) to be reauthenticated without creating a new IKE SA or new Child > > SAs. > > > > > > > > The IETF Secretariat. > > > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Keith Welter
- Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Keith Welter
- Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Yaron Sheffer
- Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Keith Welter