Re: Racing QM Initiator's
"Scott G. Kelly" <skelly@redcreek.com> Thu, 14 October 1999 17:34 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.imc.org (8.9.3/8.9.3) with ESMTP id KAA24043; Thu, 14 Oct 1999 10:34:25 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id LAA29441 Thu, 14 Oct 1999 11:47:50 -0400 (EDT)
Message-ID: <3805FC73.510A44F9@redcreek.com>
Date: Thu, 14 Oct 1999 08:53:23 -0700
From: "Scott G. Kelly" <skelly@redcreek.com>
Organization: RedCreek Communications
X-Mailer: Mozilla 4.61 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Valery Smyslov <svan@trustworks.com>
CC: Sankar Ramamoorthi <Sankar@vpnet.com>, Dan Harkins <dharkins@network-alchemy.com>, Jan Vilhuber <vilhuber@cisco.com>, Ben McCann <bmccann@indusriver.com>, ipsec@lists.tislabs.com
Subject: Re: Racing QM Initiator's
References: Your message of "Wed, 13 Oct 1999 20:46:03 PDT." <D899E9E27BE9D211842200805FA67B431B9575@vpnet.com> <199910140931.NAA21314@relay1.trustworks.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Valery Smyslov wrote: <trimmed...> > > Dan, it's OK with simultaneous phase 2 negotiations. But what about > simultaneous phase 1 negotiations? Is there any reason (besides > implementation simplicity) not to drop one of negotiation (of course, > with some clear rule to decide which one, for examble, based on IP > addresses comparison)? How about the case in which one of the phase 1 SAs requires ID PFS while the other one does not? The following diagram clarifies: +---+ | | +---+ | A |--| +---+ +---+ |--| B | +---+ |--| x |==internet==| y |--| +---+ | +---+ +---+ | +---+ | | +---+ | C |--| |--| D | +---+ | | +---+ Assume that x and y are security gateways which provide ipsec services to their respective local networks. Suppose that A wants to talk to D, and this SA requires ID PFS. Suppose that around the same time, B wants to talk to C, and this SA does not require PFS. When a packet A=>D arrives at x, x begins negotiating with y. Suppose a packet B=>C arrives at y prior to the arrival of x's first IKE packet, at which time y initiates IKE with x, and the two IKE packets are simultaneously in transit. This is a case in which it would be incorrect to drop one of the negotiations. Scott
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Ben McCann
- Re: Racing QM Initiator's Will Price
- Racing QM Initiator's Ben McCann
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Dan Harkins
- Re: Racing QM Initiator's Scott G. Kelly
- Re: Racing QM Initiator's Kanta Matsuura
- RE: Racing QM Initiator's Sankar Ramamoorthi
- Re: Racing QM Initiator's Dan Harkins
- Re: Racing QM Initiator's Valery Smyslov
- Re: Racing QM Initiator's Radha Gowda
- Re: Racing QM Initiator's Jan Vilhuber
- Re: Racing QM Initiator's Jan Vilhuber
- Re: Racing QM Initiator's Shawn Mamros
- Re: Racing QM Initiator's Vipul Gupta
- Re: Racing QM Initiator's Scott G. Kelly
- Re: Racing QM Initiator's Scott G. Kelly
- RE: Racing QM Initiator's Sankar Ramamoorthi
- RE: Racing QM Initiator's Andrew Krywaniuk
- Re: Racing QM Initiator's Valery Smyslov
- Re: Racing QM Initiator's Valery Smyslov
- Re: Racing QM Initiator's Markku Savela
- Re: Racing QM Initiator's Scott G. Kelly
- Re: Racing QM Initiator's Paul Koning