[IPsec] ikev2bis issue #181: Section 2.4 unclear on Child SA failing
Tero Kivinen <kivinen@iki.fi> Thu, 01 April 2010 12:24 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3DCD63A75BC for <ipsec@core3.amsl.com>; Thu, 1 Apr 2010 05:24:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.469
X-Spam-Level:
X-Spam-Status: No, score=-1.469 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZ54gC3P70-X for <ipsec@core3.amsl.com>; Thu, 1 Apr 2010 05:24:22 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 7EE783A6C71 for <ipsec@ietf.org>; Thu, 1 Apr 2010 05:11:14 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o31CBfTl020268 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Apr 2010 15:11:41 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o31CBd09017102; Thu, 1 Apr 2010 15:11:39 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19380.36219.405774.979743@fireball.kivinen.iki.fi>
Date: Thu, 01 Apr 2010 15:11:39 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240807c7d83e28b337@[10.20.30.158]>
References: <p06240807c7d83e28b337@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 3 min
X-Total-Time: 3 min
Cc: IPsecme WG <ipsec@ietf.org>
Subject: [IPsec] ikev2bis issue #181: Section 2.4 unclear on Child SA failing
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2010 12:24:23 -0000
Paul Hoffman writes: > Section 2.4 says "If Child SAs can fail independently from one > another without the associated IKE SA being able to send a delete > message, then they MUST be negotiated by separate IKE SAs". It is > not clear what this means. Does it apply to implementations? Yes. > If so, how can an implementation know whether or not the first > clause is true? The implementor should know that. I.e. if the IPsec SAs are divided to multiple crypto chips, and those chips can fail independently causing all IPsec SAs on that chip to disappear but leaving IPsec SAs on other chips intact, then those groups of IPsec SAs cannot be negotiated with same IKE SA. > I propose removing the sentence, or greatly clarifying it. For me the current text is very clear, and I do not see how we can clarify greatly. This issue usually only affects implementations where there are multiple subsystems which can fail independently from each other. If the only failure model is that the whole device crashed/rebooted etc then this text does not apply, as all IPsec SAs (and IKE SAs) disappear at the same time. -- kivinen@iki.fi
- [IPsec] ikev2bis issue #181: Section 2.4 unclear … Paul Hoffman
- [IPsec] ikev2bis issue #181: Section 2.4 unclear … Tero Kivinen
- Re: [IPsec] ikev2bis issue #181: Section 2.4 uncl… David Wierbowski