[IPsec] Fwd: Last Call: draft-ietf-ipsecme-ikev2-resumption (IKEv2 Session Resumption) to Proposed Standard
Peny Yang <peng.yang.chn@gmail.com> Wed, 02 September 2009 14:18 UTC
Return-Path: <peng.yang.chn@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00B9E28C730; Wed, 2 Sep 2009 07:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IMU5WccFjyrT; Wed, 2 Sep 2009 07:18:03 -0700 (PDT)
Received: from mail-pz0-f173.google.com (mail-pz0-f173.google.com [209.85.222.173]) by core3.amsl.com (Postfix) with ESMTP id B848A3A6864; Wed, 2 Sep 2009 07:17:16 -0700 (PDT)
Received: by mail-pz0-f173.google.com with SMTP id 3so849471pzk.20 for <multiple recipients>; Wed, 02 Sep 2009 07:17:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=fYDZFsWOdcrYpUCWBB2BA8Qszqo7I79dssuXY4AXvGo=; b=cabwTs2nSSb5rY15yjnTvuxNrlnwDdGGHGIL57+/4bDRO/Klu+GZe7/WzrkacmmG0S MN+reE/poKAN26N1NLb9OYpLRU7tMDfsUM8m3sVw6oG2mw8ZRZuN3nTaokg0Jk8j/pDO VNrgM/ql4ZECJWoPFNoReMD2Ux1JU0IvnZS6Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=m6DD7dDx4rknl30neaT4258Ew4gDau11gc3pVRieV4bA3qu52etrPmriBCd5UFOE5z RhlWYCjDlsyXhGNVKMKn7V6dR/3byuuWtscvwUesqCC+jlmGyfznuBr9i3KzNKy6vnc7 2PbEBbiiuRkiEexvsqgfwXnjLPuA5ZmXk585g=
MIME-Version: 1.0
Received: by 10.140.141.2 with SMTP id o2mr2374701rvd.204.1251901052629; Wed, 02 Sep 2009 07:17:32 -0700 (PDT)
In-Reply-To: <4c5c7a6d0909011932g74decc2dq1ae2cb61b78b2b0a@mail.gmail.com>
References: <20090831140935.4752B3A6E46@core3.amsl.com> <4c5c7a6d0909011932g74decc2dq1ae2cb61b78b2b0a@mail.gmail.com>
Date: Wed, 02 Sep 2009 22:17:32 +0800
Message-ID: <4c5c7a6d0909020717r72ee57btaaa9bdafd39a12cd@mail.gmail.com>
From: Peny Yang <peng.yang.chn@gmail.com>
To: ietf@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ikev2-resumption (IKEv2 Session Resumption) to Proposed Standard
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2009 14:18:04 -0000
Sorry, I should cc IPsec mail list. Comments are sent again. Hi, floks: I have two comments on the draft of IKEv2 Session Resumption: 1) Sorry, I have to talk about my concern on the new IKE_SESSION_RESUME. In WG last call, actually I made this comment. However, no feedback was given, maybe because my comment was a little late for WG last call. So, I just copy it here again as a comment for IESG last call. Well, we've discussed pros and cons of IKE_SA_INIT and IKE_SESSION_RESUME for quite a long time. However, IMHO, the consensus is still not fully achieved on this item. So far, I still prefer to choosing extended IKE_SA_INIT for ticket presenting. This solution is specified in http://tools.ietf.org/html/draft-xu-ike-sa-sync-01 As a summary, the virtues are as follows: - RFC5077 (TLS session resumption) also uses the similar scheme, which extends the message of clienthello with session ticket extension. The extended IKE_SA_INIT solution has the similar way. It's easy to extend the base IKEv2 protocol stack to support session resumption. - Considering the case of failing session resumption, the extended IKE_SA_INIT solution can save one round trip. - As indicated in 4.3.3 IKE_AUTH exchange, IKE_AUTH must be initiated after IKE_SESSION_RESUME. In this sense, the extended IKE_SA_INIT way need less code to be supported compared with IKE_SESSION_RESUME. The down side: - some people thought the way of extended IKE_SA_INIT will make the base IKEv2 protocol stack more complex. IMHO, it's an issue of implementation. Again, I still support to use extended IKE_SA_INIT for ticket presenting instead of IKE_SESSION_RESUME. 2) Maybe I missed some discussions. There is the case: responder may receives a ticket for an IKE SA that is still active and if the responder accepts it. In one of previous versions of this draft, there once was some description on this case. I know that how a client detects the need for resumption is out of the scope of this draft. But, there is the possibility that IPsec client may be continuously deceived and believe the fail of IPsec gateway. It may continuously present the ticket and update the ticket. In this sense, IMHO, this draft should take care of this case. BRG Peny On Mon, Aug 31, 2009 at 10:09 PM, The IESG<iesg-secretary@ietf.org> wrote: > The IESG has received a request from the IP Security Maintenance and > Extensions WG (ipsecme) to consider the following document: > > - 'IKEv2 Session Resumption ' > <draft-ietf-ipsecme-ikev2-resumption-07.txt> as a Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2009-09-14. Exceptionally, > comments may be sent to iesg@ietf.org instead. In either case, please > retain the beginning of the Subject line to allow automated sorting. > > The file can be obtained via > http://www.ietf.org/internet-drafts/draft-ietf-ipsecme-ikev2-resumption-07.txt > > > IESG discussion can be tracked via > https://datatracker.ietf.org/public/pidtracker.cgi?command=view_id&dTag=17990&rfc_flag=0 > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] Last Call: draft-ietf-ipsecme-ikev2-resum… The IESG
- [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ikev2-… Peny Yang
- Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ik… Yaron Sheffer
- Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ik… Tero Kivinen
- Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ik… Peny Yang
- Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ik… Peny Yang
- Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ik… Hui Deng
- Re: [IPsec] Fwd: Last Call: draft-ietf-ipsecme-ik… Yaron Sheffer