IETF Logo Mail Archive

RE: [Mobike] RE: [Ipsec] Asymmetric Security

"Srinivasa Rao Addepalli" <srao@intoto.com> Wed, 16 February 2005 03:59 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA11896 for <ipsec-archive@lists.ietf.org>; Tue, 15 Feb 2005 22:59:25 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D1GIh-0005cg-UI; Tue, 15 Feb 2005 22:56:31 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D1GI3-0005Jv-LI for ipsec@megatron.ietf.org; Tue, 15 Feb 2005 22:55:51 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA11344 for <ipsec@ietf.org>; Tue, 15 Feb 2005 22:55:49 -0500 (EST)
Received: from [207.145.48.18] (helo=smtp.intoto.com) by ietf-mx.ietf.org with smtp (Exim 4.33) id 1D1GdE-0004x8-6e for ipsec@ietf.org; Tue, 15 Feb 2005 23:17:44 -0500
Received: from angel.intoto.com ([66.80.10.146]) by smtp.intoto.com (SMSSMTP 4.0.0.59) with SMTP id M2005021519543226966 ; Tue, 15 Feb 2005 19:54:32 -0800
Received: from SriniSony (dhcp-109.intoto.com [10.1.5.109]) (authenticated bits=0) by angel.intoto.com (8.13.1/8.13.1) with ESMTP id j1G3srst008013; Tue, 15 Feb 2005 19:54:56 -0800
Message-Id: <200502160354.j1G3srst008013@angel.intoto.com>
From: Srinivasa Rao Addepalli <srao@intoto.com>
To: Atul.Sharma@nokia.com, kent@bbn.com
Subject: RE: [Mobike] RE: [Ipsec] Asymmetric Security
Date: Tue, 15 Feb 2005 19:54:52 -0800
Organization: Intoto Inc
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <DC504E9C3384054C8506D3E6BB012460CD8C7D@bsebe001.americas.nokia.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcUTHB67SyBEKeXgSoemmvS91FiwtQASrNTgAByVpgA=
X-Spam-Score: 0.0 (/)
X-Scan-Signature: fb6060cb60c0cea16e3f7219e40a0a81
Content-Transfer-Encoding: 7bit
Cc: ipsec@ietf.org, mobike@machshav.com
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Content-Transfer-Encoding: 7bit

Hi Atul,

> >(1) Asymmetry in Gateways:
> >Let us say there are three gateways A, B, C. In the forward 
> >direction secure traffic
> >flows from Gateway A to Gateway B. In the reverse direction 
> traffic flows from
> >Gateway C to Gateway A.  A Mobile IP End-to-End Security between a
> >correspondent node and a mobile node will be an example 
> scenario here.
> >IKE negotiations between A and B can setup a tunnel and IKE 
> negotiations
> >between C and A can set up the tunnels. Both the tunnels shall still 
> >protect the
> >same hosts/addresses. [Since IKE negotiations do not allow 
> asymmetry we will
> >have to have two separate IKE negotiations]
> 
> so, what's the problem? you have separate SAs because you have 
> different endpoints. we decided long ago to create SAs in pairs. are 
> you concerned that the state maintained for the unused SAs is a 
> unacceptable burden?

Only that there is no unused SAs or rather no unused SA pairs. There will
be two SA pairs negotiated each with different tunnel endpoints. In the
first SA pair only the forward SA will be used, in the second SA pair only
the reverse SA will be used. Is something like this already allowed?

SRINI> This scenario happens even in cases where each peer having only one
IP address. Think of a scenario, where both parties re-key IPsec (phase2)
keys at the same time. So, IMO the scenario you described would work with
existing implementations.

One SA in each pair shall be unused, which need not even be maintained.

A related question: Do we allow IKE negotiations to be asymmetric, i.e. IKE
message goes to an address, but the response comes back from a different
address?

SRINI> In my view, this may not be problem with IKE implementations. But, we
observed this problem, when there is symmetric firewall in between IKE
peers. It is a good practice that IKE implementations send the
reverse/response IKE packets with source IP address as the landed IP address
of the received IKE packet. So, I consider the problem you indicated is more
of implementation problem than the specification limitation.

> >(2) Asymmetry in Tunnels:
> >Let us say there are two multihomed Gateways. These gateways 
> negotiate TWO
> >tunnels, each with different tunnel endpoints (corresponding to 
> >multihomed addresses).
> >But both the tunnels still protecting the same hosts/addresses. This 
> >can be a real
> >life scenario to acheive redundancy/high availability
> 
> again, what is the problem here?

Allowing two tunnels protecting the same addresses/hosts, but with differnt
tunnel endpoints. Is this something allowed now?

SRINI> Yes, specifications don't prohibit this behavior. It is already put
to use, in implementations, to achieve load sharing of the data across
multiple SAs to pass secured traffic through multiple WAN links.



_______________________________________________
Mobike mailing list
Mobike@machshav.com
https://www.machshav.com/mailman/listinfo.cgi/mobike



_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

v2.46.0 | Report a Bug | By Email | System Status