[IPsec] Some comments to draft-plmrs-ipsecme-ipsec-ikev2-context-definition-01
Tero Kivinen <kivinen@iki.fi> Wed, 05 March 2014 23:07 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8477E1A0305 for <ipsec@ietfa.amsl.com>; Wed, 5 Mar 2014 15:07:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHcen0mQjV_e for <ipsec@ietfa.amsl.com>; Wed, 5 Mar 2014 15:07:51 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 117241A005C for <ipsec@ietf.org>; Wed, 5 Mar 2014 15:07:50 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s25N7k3F011723 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 6 Mar 2014 01:07:46 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s25N7kr9028067; Thu, 6 Mar 2014 01:07:46 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21271.44610.414071.370642@fireball.kivinen.iki.fi>
Date: Thu, 06 Mar 2014 01:07:46 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 5 min
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/pHiO_QMl_sPRLqj_MaibG-fZn9Y
Subject: [IPsec] Some comments to draft-plmrs-ipsecme-ipsec-ikev2-context-definition-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 23:07:53 -0000
In section 2 it says: Note that IKEv2 and IPsec session do not need to be on the same node as IKEv2 and IPsec context are different. This is not so easy. The RFC5996 says: ---------------------------------------------------------------------- 2.4. State Synchronization and Connection Timeouts ... An implementation needs to stop sending over any SA if some failure prevents it from receiving on all of the associated SAs. If a system creates Child SAs that can fail independently from one another without the associated IKE SA being able to send a delete message, then the system MUST negotiate such Child SAs using separate IKE SAs. ---------------------------------------------------------------------- I.e. if any of the IPsec SAs fail, then all of IPsec SAs created using same IKE SA, and the IKE SA must also fail. If IPsec SAs and IKE SA are on separate nodes, that do set up new kind of requirements for those nodes. I.e. if one node having IPsec SAs fails, the node having IKE SA needs to detect this, and send delete notification for each IPsec SA that were in that node. Also if the node having the IKE SA will fail, then all the IPsec SAs associated with that IKE SA, must stop sending, i.e. they needs to be destroyed. -- kivinen@iki.fi
- [IPsec] Some comments to draft-plmrs-ipsecme-ipse… Tero Kivinen
- Re: [IPsec] Some comments to draft-plmrs-ipsecme-… Daniel Palomares
- Re: [IPsec] Some comments to draft-plmrs-ipsecme-… Tero Kivinen
- Re: [IPsec] Some comments to draft-plmrs-ipsecme-… Paul Hoffman
- Re: [IPsec] Some comments to draft-plmrs-ipsecme-… Daniel Migault