Re: [IPsec] Another round of IKEv2-bis issues
David Wierbowski <wierbows@us.ibm.com> Thu, 08 April 2010 15:27 UTC
Return-Path: <wierbows@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AF5B33A6A13; Thu, 8 Apr 2010 08:27:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alxsiDsd25Su; Thu, 8 Apr 2010 08:27:30 -0700 (PDT)
Received: from e6.ny.us.ibm.com (e6.ny.us.ibm.com [32.97.182.146]) by core3.amsl.com (Postfix) with ESMTP id 5B5D63A6A9A; Thu, 8 Apr 2010 08:27:26 -0700 (PDT)
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235]) by e6.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id o38FOhCc027557; Thu, 8 Apr 2010 11:24:43 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o38FRFVP113160; Thu, 8 Apr 2010 11:27:15 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id o38FRFCx015169; Thu, 8 Apr 2010 11:27:15 -0400
Received: from d01ml084.pok.ibm.com (d01ml084.pok.ibm.com [9.63.10.23]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id o38FREfe015130; Thu, 8 Apr 2010 11:27:14 -0400
In-Reply-To: <19389.52595.209726.960078@fireball.kivinen.iki.fi>
References: <006FEB08D9C6444AB014105C9AEB133FB37650C568@il-ex01.ad.checkpoint.com> <19389.52595.209726.960078@fireball.kivinen.iki.fi>
X-KeepSent: 6AD2BFF8:4EBFBC83-852576FF:0050D170; type=4; name=$KeepSent
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: Lotus Notes Release 8.0.2FP1 SHF149 July 17, 2009
Message-ID: <OF6AD2BFF8.4EBFBC83-ON852576FF.0050D170-852576FF.0054E2E4@us.ibm.com>
From: David Wierbowski <wierbows@us.ibm.com>
Date: Thu, 08 Apr 2010 11:27:10 -0400
X-MIMETrack: Serialize by Router on D01ML084/01/M/IBM(Release 8.0.2FP4|December 10, 2009) at 04/08/2010 11:27:13
MIME-Version: 1.0
Content-type: text/plain; charset="US-ASCII"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, ipsec-bounces@ietf.org
Subject: Re: [IPsec] Another round of IKEv2-bis issues
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Apr 2010 15:27:31 -0000
>Yoav Nir writes: >> Issue #181 - Section 2.4 unclear on Child SA failing >> ==================================================== >> Section 2.4 says "If Child SAs can fail independently from one >> another without the associated IKE SA being able to send a delete >> message, then they MUST be negotiated by separate IKE SAs". It is >> not clear what this means. Does it apply to implementations? If so, >> how can an implementation know whether or not the first clause is >> true? >> >> I propose removing the sentence, or greatly clarifying it. >> >> Tero and Dave commented. Dave proposed alternative text, replacing >> "they" with "each set of Child SAs": >> >> If sets of Child SAs can fail independently from one another without >> the associated IKE SA being able to send a delete message, then each >> set of Child SAs MUST be negotiated by separate IKE SAs. >> >> But I think this misses Sean's point, that while an implementation >> might be able to know whether child SAs fail independently in >> itself, it has no way of knowing this about the peer. > >Why should it know it about the peer? If the other end used same IKE >SA to negotiate the Child SAs, then those Child SAs cannot fail >independently. > >This case is only for the local implementors, it does not have any >protocol implications, except that other end can assume that if Child >SA A, and Child SA B are negotiated using same IKE SA C, then if A >works, that means that B also works (or the Child SA is deleted using >IKE SA C). > >The current text does not say anything what happens if the host Z >tries to create Child SA A and Child SA B using IKE SA C, and host X >notices that it cannot guarantee, that they cannot fail independently. >Most likely host X will then return error, but most likely it can also >make Child SA A and B so that they cannot fail independently, i.e. >allocate them from the same security processor. > >I.e. if we make example where we have host A, having multiple security >processors F, G, and H. Each of those security processors is able to >run full IPsec, including multiple IKE SAs and Child SAs. Each of >those security processors is separate, i.e. SAs are not shared between >them, thus each IKE SA and Child SA is on only one of them. Also in >this example we assume that one of those security processors can fail >independently from others, i.e. even if one of them crashes, or looses >state, the others can stay up. The device itself will then of course >need some kind of internal "switch" inside, which will "route" IKE and >Child SA packets to corresponding security processor. > >Now when host A is initiating negotiations it needs to make sure that >the Child SAs and the corrseponding IKE SA are on the same security >processor so if one of them fail, then all of them fail. > >If this is not true, then host B reciving packets from host A using >child SA which happened to be on the other security processor than the >IKE SA of that child SA, still thinks the host A is up and running, >even when the IKE SA is already dead. What is wrong with using a valid child SA? If you are claiming the child SA is not valid because it's IKE SA on host A no longer exists then I'll agree. When host A lost the IKE SA because the security processor failed it should have cleaned up any SAs created by the IKE SA. That does not mean all SAs created by the IKE SA need be on the same security processor. That's just your rule and how you decided to handle the situation. You could have kept knowledge of this relationship outside of the security processor. I see no reason to dictate how to handle this situation in the RFC. >This means that host B will >never start DPD, as it is seeing valid packets from host A coming in, >thus it will never notice that other Child SAs and the IKE SA on the >other security processor are dead, and will happily send data to them >without trying to recover. Well if host A did not properly cleanup up all child SAs I agree this could happen, but so what? Everyone is happy. Data is being exchanged as per the child SA. If host A did kill the child SA then dead peer detection would kick in as desired. It's probably more of an issue if the security processor containing a child SA died while the IKE SA was in another security processor, but I contend that in this scenario an implementation could be smart enough to know what child SAs are associated with each security processor and properly clean up. In this case it would even be able to send a delete. > >As the crash recovery is done on the IKE SA bases, and the crash >recovery assumes that if any of the Child SAs on the IKE SA is alive, >then the IKE SA is also alive, it is important that Child SAs and IKE >SA cannot fail independently. It's all a matter of bookkeeping. If they can fail separately you just need to keep track of what needs to be cleaned up when a failure occurs. The method you suggest is perhaps a good one and the easiest, but it is not the only one. > >> So I propose we remove it entirely. > I'm fine with removing it. >I do not agree on that. In most cases this is implementation hint that >is not needed, as most environments do not have multiple independent >security processors, but on those environments where we have those, it >is important for correct behavior that implementors implement this >correctly. Those who are really working on implementations on systems >which have multiple independent security processors should understand >what is said in the current text. As those people who do work on such >implementaions is extremely small, I do not think there is need to >add lots of material explaining the situation (as I did here in this >email), but keeping the text in the specification is still needed. I do not agree. The rule is simple. If an IKE fails cleanup all Child SAs created by it. In the case of a security processor failure you are guaranteed to have that happen if you keep the child SA on the same security processor, but that does not means that is the only way to do that. You have some distribution logic in place to begin with. That logic can save enough state to perform the proper cleanup. I see no reason to address how this cleanup occurs in this RFC. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec Dave Wierbowski
- [IPsec] Another round of IKEv2-bis issues Yoav Nir
- [IPsec] Issue #187, was: Re: Another round of IKEā¦ Yaron Sheffer
- [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski
- Re: [IPsec] Another round of IKEv2-bis issues Tero Kivinen
- Re: [IPsec] Another round of IKEv2-bis issues David Wierbowski