IETF Logo Mail Archive

Re: [IPsec] IPsec Digest, Vol 123, Issue 21

Yoav Nir <ynir.ietf@gmail.com> Tue, 19 August 2014 15:11 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F17C1A03A8 for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 08:11:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHnHPG9mYwle for <ipsec@ietfa.amsl.com>; Tue, 19 Aug 2014 08:11:53 -0700 (PDT)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D78121A03DB for <ipsec@ietf.org>; Tue, 19 Aug 2014 08:11:52 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id x48so6669556wes.31 for <ipsec@ietf.org>; Tue, 19 Aug 2014 08:11:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1LNHMC/W+B567GJGQQzfNdEhv8Kh37PPJq7ygae1X9A=; b=CVvxp03CMxzSo1BHKmb7y1VIOWj9G7bTEeReh22i2euY/LDQr79i1sB9es4GBByULg MUIsj76ccKeAtOWmcyDSds1KYePCxGwwo3cV9qWv+fb0G172GLQDdyKQ6X34FKVulSTc d2cDiIEJ4eOUKRjghpAVBUMhyHuKLgzj6erDkKGW0J2GFA9M2tgq9f1waBhf9JSd+u94 ZG479cQNAEFcUWHcpDYq8a0QjqrgAGw0+3zd68n7lbMrY60Sjv23JdCzVVE7Re0Pnaaa KXU7aBVv5wVGOqkhRVddQXXMGANVSVKNflv6c6+CxcPEMDWveqk/p+SKq9DOpTGggx9i JODw==
X-Received: by 10.194.57.237 with SMTP id l13mr2247380wjq.102.1408461111335; Tue, 19 Aug 2014 08:11:51 -0700 (PDT)
Received: from [172.24.250.90] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id es9sm51132526wjd.1.2014.08.19.08.11.48 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 19 Aug 2014 08:11:48 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_79586301-FFE3-410F-A3E5-2C2987E7ED07"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <DE3BA6C9-FE85-4587-AB96-36349F9B1F7C@gmail.com>
Date: Tue, 19 Aug 2014 18:11:47 +0300
Message-Id: <A878C09C-750C-4284-BDF5-31FFBFAB031B@gmail.com>
References: <mailman.4236.1406823571.13632.ipsec@ietf.org> <A0463391-0BB4-408F-874B-A6B91ED6D102@gmail.com> <21490.4420.127387.489490@fireball.kivinen.iki.fi> <9852A873-1EEA-45EC-AEA3-BA654249A662@gmail.com> <E3D6D40E-FDFD-443E-BC11-81CF34A5F319@gmail.com> <DE3BA6C9-FE85-4587-AB96-36349F9B1F7C@gmail.com>
To: Les Leposo <leposo@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/viz8W6Pax6pcVWYZiMNLQN1AXr8
Cc: ipsec@ietf.org, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [IPsec] IPsec Digest, Vol 123, Issue 21
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Aug 2014 15:11:58 -0000

On Aug 19, 2014, at 5:48 PM, Les Leposo <leposo@gmail.com> wrote:

>>> 
>>> Now, today's client devices need to be energy efficient - so the device sleeps/hibernates to save battery.
>>> Sleeping past the nat keepalives is bound to happen (either by design or error).
>>> At some point the device will wake from sleep and need to test reachability using dpd.
>>> 
>>> And in some cases (if the sleep was more than a certain threshold), rather than wait for dpd to failover, the choice is to go for rekey.
>> 
>> It depends which standards you’ve implemented. If you’ve implemented QCD (RFC 6290), then DPD fails or succeeds immediately as long as you have connectivity,
> RFC 6290 is ikev2 2011, Pauls complaint is regarding ikev1/ikev2... not sure. If ikev1, then we're beating a dead horse.
> But if ikev2, then my point still stands that the appropriate use of 'MUST’.

I think that a remote access gateway that services battery-sensitive devices should allow a lot of time before initiating its own DPD. Unfortunately, there is no way for a gateway to communicate to the client “if you’ve been silent for X seconds, you can assume that I’ve started a DPD and probably killed your IKE SA”.

>> and it doesn’t make sense to go directly to a new Initial exchange. 
>> 
> 
> What if the IKE SA was nearing expiry, and/or the server initiated a rekey while you were asleep.

Under IKEv2 rules, the rekey failed and the old IKE SA is gone. It’s OK that it happened, It’s only a matter of detecting this efficiently.

>> AFAIK racoon doesn’t have that. Maybe it has session tickets, which make the Initial exchange lighter.
>> 
>> Of course, wiping all state every time you blank the screen is (if true) a very weird implementation choice. 
> Do you mean screen lock?

If that’s what it is called on an iPhone (I don’t have one). I mean whatever makes the screen go blank so that you need to press a button and swipe the screen in some direction, optionally including a code. 

Yoav

v2.23.0 | Report a Bug | By Email