Re: [IPsec] synchronizing crypto state
Yoav Nir <ynir@checkpoint.com> Mon, 22 March 2010 19:57 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FF3D28C16B for <ipsec@core3.amsl.com>; Mon, 22 Mar 2010 12:57:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[AWL=-0.873, BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OawwXcSI91gk for <ipsec@core3.amsl.com>; Mon, 22 Mar 2010 12:57:37 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id C29C63A6B23 for <ipsec@ietf.org>; Mon, 22 Mar 2010 12:57:00 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o2MJvFsd024208; Mon, 22 Mar 2010 21:57:15 +0200 (IST)
X-CheckPoint: {4BA7CAF2-1-1211DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 22 Mar 2010 21:57:35 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Dan Harkins <dharkins@lounge.org>
Date: Mon, 22 Mar 2010 21:57:12 +0200
Thread-Topic: [IPsec] synchronizing crypto state
Thread-Index: AcrJ+eqO7LzHfYMPT6iGoVOZXFZb7A==
Message-ID: <2C2138DA-692D-45BE-A4B5-94B339716558@checkpoint.com>
References: <B0463EF9-0942-4BA9-9228-D7A033054996@cisco.com> <884e7195495b157f15c923c3ba660a99.squirrel@www.trepanning.net>
In-Reply-To: <884e7195495b157f15c923c3ba660a99.squirrel@www.trepanning.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>, David McGrew <mcgrew@cisco.com>
Subject: Re: [IPsec] synchronizing crypto state
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Mar 2010 19:57:38 -0000
That would be good, but we don't want to madate not using certain modes of operation when you have a cluster. That would be very counter-productive. OTOH, because of the replay counter, we've already agreed that an outbound child SA cannot be shared among members of a load-sharing cluster. As for the "hot standby" cluster, it *is* important to avoid repeating an IC after failover, so precautions must be taken, and that draft David mentioned is one good way. However, this problem is internal to the cluster. It has nothing to do with IKE interoperability with other peers (I don't think any peer actually verifies that an IC or IV has not been previously used with the same key). Therefore, this whole discussion is out of scope for this work item. Do you agree? Yoav On Mar 22, 2010, at 11:20 AM, Dan Harkins wrote: > > Hi, > > Another solution is to use a cipher mode (like SIV) that does not lose > all security if a counter is reused. Then you don't have to worry at all > it. > > Dan. > > On Mon, March 22, 2010 9:29 am, David McGrew wrote: >> Hi Yoav, >> >> another requirement for IPsec HA is to coordinate the use of distinct >> counters between multiple crypto engines. The problem (and a >> convenient solution) is described in >> http://tools.ietf.org/html/draft-ietf-msec-ipsec-group-counter-modes-05 >> >> David >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> > > > > Scanned by Check Point Total Security Gateway.
- [IPsec] synchronizing crypto state David McGrew
- Re: [IPsec] synchronizing crypto state Dan Harkins
- Re: [IPsec] synchronizing crypto state Yoav Nir