Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 14 January 2011 08:45 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFF433A6C5B for <ipsec@core3.amsl.com>; Fri, 14 Jan 2011 00:45:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10kePJpvQywE for <ipsec@core3.amsl.com>; Fri, 14 Jan 2011 00:45:27 -0800 (PST)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id 00F6D3A6C5A for <ipsec@ietf.org>; Fri, 14 Jan 2011 00:45:26 -0800 (PST)
Received: by wyf23 with SMTP id 23so2699475wyf.31 for <ipsec@ietf.org>; Fri, 14 Jan 2011 00:47:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type; bh=X77dv1FjxVZRPQ18qEXy3muxH2Fh8cfjUbiqB2/G8Rs=; b=xgqOuzuyBIhliNw42CYgiAF8/1LTniKn6Ln9aKdWTl1LDaz6wIVwguIzwe9WsAGPoy 4Vik+5Accmxo4j5ZtM2YC66EdXO2td2NbxGLEvTFWMrz55jDais9Fe8O0aUPkcJI2Vcx mEvHxeMjyvCVFVTCpUevdrLEzXuQk7CqO434s=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; b=s259Y4VuMdt2hW1NHUZvIC5s23w6CjVpEiP5uXnfgxiN84BdN9UpvMwYz8GUvj6Zbz 3HYFvr0EWuKd0QzDGWKjJ8nAEIwak/1GUYU7TOZ23HFJxTrWWZ0OUtrOZqAYrizg9o4U F25cQQRotHWsbHTZEljK+panxsF+tMFY9Q2EU=
Received: by 10.227.144.7 with SMTP id x7mr428340wbu.115.1294994870054; Fri, 14 Jan 2011 00:47:50 -0800 (PST)
Received: from [10.0.0.4] ([109.67.17.212]) by mx.google.com with ESMTPS id 11sm725910wbj.1.2011.01.14.00.47.47 (version=SSLv3 cipher=RC4-MD5); Fri, 14 Jan 2011 00:47:49 -0800 (PST)
Message-ID: <4D300DA7.2010003@gmail.com>
Date: Fri, 14 Jan 2011 10:47:35 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: Keith Welter <welterk@us.ibm.com>
References: <OF83382F06.D21E6F23-ON88257816.0070A15A-88257816.0070D005@us.ibm.com> <OF042D8DC8.64349015-ON88257816.0073DD1F-88257816.00754261@us.ibm.com>
In-Reply-To: <OF042D8DC8.64349015-ON88257816.0073DD1F-88257816.00754261@us.ibm.com>
Content-Type: multipart/alternative; boundary="------------080800070707010300080102"
Cc: ipsec@ietf.org
Subject: Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2011 08:45:28 -0000
Hi Keith,
I think this version makes a lot of sense. A few comments:
* I don't like the asymmetrical nature of the notification, which
implies that only the original initiator can initiate the second
IKE_AUTH. There may be cases when the responder would like to
reauthenticate (e.g. mutual EAP with passwords). So I suggest to
have both peers send the notification if they support this extension.
* Please say explicitly whether/how this extension interacts with
RFC 6023: can the reauthenticated IKE SA be childless?
* The introduction mentions three problems. Please add text
somewhere on how they are solved by this proposal.
* Typo in Sec. 4: "MUST be the same as the as the SPIs".
Thanks,
Yaron
On 12/01/2011 23:20, Keith Welter wrote:
>
> In the thread "Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-00", Yoav
> proposed:
> "having an IKE_AUTH exchange in the middle of the IKE SA lifetime.
> Suppose the IKE SA has been around for a couple of hours, and has been
> used for creating some child SAs, why not keep it and just pass one or
> more IKE_AUTH exchanges?"
>
> draft-welter-ipsecme-ikev2-reauth-01 specifies this alternative design.
>
> To refresh everyone's memory on the problems that the draft aims to
> solve, I'll include the introductory text from the new version of the
> draft here:
>
> "IKE SA reauthentication as defined in [IKEv2] is accomplished by
> creating a new IKE SA, creating new Child SAs, and deleting the old
> IKE SA. Assuming that the old IKE SA has n Child SAs,
> reauthentication as defined in [IKEv2] requires at least n+1 message
> exchanges. This style of reauthentication does not scale well when n
> is large. The extension described in this document allows
> reauthentication of an IKE SA using a single IKE_AUTH exchange on the
> IKE SA to be reauthenticated without creating a new IKE SA or new
> Child SAs. The terms IKEv2, IKEv2 SA, and Child SA and the various
> IKEv2 exchanges are defined in [IKEv2]
>
> Other problems with IKE SA reauthentication as defined in [IKEv2]
> include:
>
> o Simultaneous IKE SA reauthentication may result in redundant SAs.
>
> o Child SAs for which an internal address was assigned using the
> Configuration Payload may experience a connection disruption for
> reassignment of an internal address.
>
> o While [IKEv2] describes how to handle exchange collisions that
> may occur during IKE SA rekeying, it does not do so for exchange
> collisions that may occur during reauthentication which could inhibit
> interoperability in such cases."
>
> Please share your comments on draft-welter-ipsecme-ikev2-reauth-01.
>
> Thanks,
>
> Keith Welter
> IBM z/OS Communications Server Developer
> 1-415-545-2694 (T/L: 473-2694)
>
>
> ipsec-bounces@ietf.org wrote on 01/12/2011 12:32:07 PM:
>
> > [image removed]
> >
> > [IPsec] draft-welter-ipsecme-ikev2-reauth-01
> >
> > Keith Welter
> >
> > to:
> >
> > ipsec
> >
> > 01/12/2011 12:36 PM
> >
> > Sent by:
> >
> > ipsec-bounces@ietf.org
> >
> >
> > A new version of I-D, draft-welter-ipsecme-ikev2-reauth-01.txt has
> > been successfully submitted by Keith Welter and posted to the IETF
> repository.
> >
> > Filename: draft-welter-ipsecme-ikev2-reauth
> > Revision: 01
> > Title: Reauthentication Extension
> for IKEv2
> > Creation_date: 2011-01-12
> > WG ID: Independent Submission
> > Number_of_pages: 6
> >
> > Abstract:
> > This document describes an extension to the Internet Key Exchange
> > version 2 (IKEv2) protocol that allows an IKEv2 Security Association
> > (SA) to be reauthenticated without creating a new IKE SA or new Child
> > SAs.
> >
> >
> >
> > The IETF Secretariat.
> >
> >
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Keith Welter
- Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Keith Welter
- Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Yaron Sheffer
- Re: [IPsec] draft-welter-ipsecme-ikev2-reauth-01 Keith Welter