IETF Logo Mail Archive

[IPsec] Rekeying of child sa, Question on TS handling according to RFC 5996

Pål Dammvik <pal.dammvik@ericsson.com> Wed, 20 August 2014 12:17 UTC

Return-Path: <pal.dammvik@ericsson.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B2F1A02E8 for <ipsec@ietfa.amsl.com>; Wed, 20 Aug 2014 05:17:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fTjHZ9ka2ZYc for <ipsec@ietfa.amsl.com>; Wed, 20 Aug 2014 05:17:17 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE4971A02E5 for <ipsec@ietf.org>; Wed, 20 Aug 2014 05:17:16 -0700 (PDT)
X-AuditID: c1b4fb30-f79736d0000053b8-2a-53f491ca6d9f
Received: from ESESSHC013.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 66.EF.21432.AC194F35; Wed, 20 Aug 2014 14:17:15 +0200 (CEST)
Received: from ESESSMB309.ericsson.se ([169.254.9.84]) by ESESSHC013.ericsson.se ([153.88.183.57]) with mapi id 14.03.0174.001; Wed, 20 Aug 2014 14:17:14 +0200
From: Pål Dammvik <pal.dammvik@ericsson.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Thread-Topic: Rekeying of child sa, Question on TS handling according to RFC 5996
Thread-Index: Ac+8cADLb6zidk/KSCOu+0//Eszt4w==
Date: Wed, 20 Aug 2014 12:17:13 +0000
Message-ID: <F68C660364DABE41AF4617F517EF548411707BE2@ESESSMB309.ericsson.se>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.20]
Content-Type: multipart/alternative; boundary="_000_F68C660364DABE41AF4617F517EF548411707BE2ESESSMB309erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrGLMWRmVeSWpSXmKPExsUyM+Jvje7piV+CDS7vYbLYv+UFmwOjx5Il P5kCGKO4bFJSczLLUov07RK4MhZOn85esN6uYua8t8wNjH1mXYycHBICJhIzt7WyQNhiEhfu rWcDsYUEjjJKnGvR7WLkArIXM0pM3vGUHSTBJmAvseTcMzBbREBV4tSy6awgtrCAr8S19hdA NgdQPERi3koBiBI9iW0TZ4PNZAEq39j8BqyVF6h8243JYK2MArIS97/fA7uBWUBc4taT+UwQ 9whILNlznhnCFpV4+fgfK4StKHF1+nImiPp8ifNbVrBCzBSUODnzCcsERqFZSEbNQlI2C0kZ RFxP4sbUKWwQtrbEsoWvmSFsXYkZ/w6xIIsvYGRfxShanFqclJtuZKSXWpSZXFycn6eXl1qy iREYEQe3/DbYwfjyueMhRgEORiUe3gUTPgcLsSaWFVfmHmKU5mBREuddeG5esJBAemJJanZq akFqUXxRaU5q8SFGJg5OqQbGsFR2cbnuE8XRc+5vnTllaS1L4e99K9doTn5fzvljVS6jr2i1 3fZ/apn+V3/MC67S2DAvd9tzgYObToWd9Wi7VXLZMnTlp7w12z2XzH5xxGt//J5lPKzG/EFf BFRvBOaEz4pyZilqelDJc2Iyv/GfqJ7nHY8u2DZ4eW0Tv//U481vaVsBI9YYJZbijERDLeai 4kQAOPaef2kCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/uAZrPAVohlDRUDukGm2gQ_QRTgY
Subject: [IPsec] Rekeying of child sa, Question on TS handling according to RFC 5996
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Aug 2014 12:17:19 -0000

One of the differences between RFC 5996 and 4306 is in the rekeying where it's stated in RFC 5996 section  2.8:

"Note that, when rekeying, the new Child SA SHOULD NOT have different Traffic Selectors and algorithms than the old one."

Additionally in section 1.3.3 (that also addresses rekeying)  of the same RFC,  it's stated:

"The Traffic Selectors for traffic to be sent on that SA are specified in the TS payloads in the response, which may be a subset of what the initiator of the Child SA proposed."

I think these sentences leaves some room for interpretation what the create child sa request message can contain in the rekeying scenario.
When a node initiates rekeying  of a child sa using the create child sa message exchange, which traffic selectors is it allowed to include in the create child  sa request?  Does it have to be identical to the negotiated traffic selector from the old child sa (i.e. the traffic selector received in the original create child sa response for the sa) or can it for example be the same traffic selectors as originally proposed in the create child sa request for the old child sa..?

There is a strange sentence related to this topic in section 1.7 " Significant Differences between RFC 4306 and This document" related to this topic:

"The new Section 2.9.2 covers Traffic Selectors in rekeying."

but there does not seem to be a chapter 2.9.2 in the document ?!

Is this an editorial mistake or something missing?

As the RFC has similar statement for the negotiated algorithms (i.e. encryption, integrity), the same question pops up there.. I.e. should it in the create child sa request only include the algorithms used by the old child sa or can it include all algorithms originally proposed...

Regards Pål

v2.23.0 | Report a Bug | By Email