IETF Logo Mail Archive

[IPsec] DPD in IKEv2

Toby Mao <yumao9@gmail.com> Sun, 11 July 2010 10:06 UTC

Return-Path: <yumao9@gmail.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C864D3A6842 for <ipsec@core3.amsl.com>; Sun, 11 Jul 2010 03:06:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, J_CHICKENPOX_83=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kqy8P084g0IJ for <ipsec@core3.amsl.com>; Sun, 11 Jul 2010 03:06:33 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by core3.amsl.com (Postfix) with ESMTP id EECA43A6767 for <ipsec@ietf.org>; Sun, 11 Jul 2010 03:06:32 -0700 (PDT)
Received: by qwe5 with SMTP id 5so1142673qwe.31 for <ipsec@ietf.org>; Sun, 11 Jul 2010 03:06:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:cc:content-type; bh=dSN5uEdIZb7eei1NWrOjdnf1o3aSHuYofXlTr5wqCe8=; b=qO22fzp14U4bL6MtVq3K06MN3dyl9yf1gOEztnEJQSM8WbjJ3it4HFD0pY352IGgG3 lTZlIOZnDMYXFKvTvoezBdldfCzHfvmPDd8F5BRjYDOHQrs7+7FavElXBPD3jONBAVbg J/JCqjBxDP6g531+UEoND8ZdRg4KOpMHK3Rng=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=j36xg5lEB9cX8ysyJxOn+NjIY48LVLhQ4ZIU8rexuZ00w2iVAalxgJosQuf2j1urDF /gs4U5mc88lt6UYoHaw3q7EIt4v9iTn931DOgI1HiOibGOvqrVTtWSOjGx8zLZp1y2xz 7nSYWeqCIFppnptwZVb4v8DSQo+BRMN5DRd0o=
MIME-Version: 1.0
Received: by 10.229.183.210 with SMTP id ch18mr7423167qcb.55.1278842796170; Sun, 11 Jul 2010 03:06:36 -0700 (PDT)
Received: by 10.229.78.98 with HTTP; Sun, 11 Jul 2010 03:06:35 -0700 (PDT)
Date: Sun, 11 Jul 2010 18:06:35 +0800
Message-ID: <AANLkTilbxF_NpZbXlZ8KmuwkKGQxz2g6VhYj-xxerCqe@mail.gmail.com>
From: Toby Mao <yumao9@gmail.com>
To: IPsecme WG <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="0016e65bba7296df4e048b19ca25"
Cc: maoyu@h3c.com
Subject: [IPsec] DPD in IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2010 10:06:35 -0000

Hi all:
         DPD(RFC 3706) provide a mechanism to detect dead IKEv1 peer.
In  draft-ietf-ipsecme-roadmap-07,
4.2.3.1, it tell us
<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-roadmap/>"This RFC
defines an optional extension to IKEv1; dead peer detection (DPD) is an
integral part of IKEv2, which refers to this feature as a "liveness check"
or "liveness test"."  So we can learn DPD can be used in IKEv2. However,
some issues need to discuss when used in IKEv2.

         #1:  Sequence Number in DPD Message
        In rfc3706, sequence number in DPD message can prove liveliness and
guard against message replay attack, it is presented in the notification
data field in the Notify Payload format. However, Message ID in the IKEv2
can provide the same function(see WG draft
draft-ietf-ipsecme-ikev2bis<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ikev2bis/>2.2).
If DPD is used in IKEv2, DPD notify message can use Message ID in the
IKEv2 message header other than define the other redundancy sequence number
in the notification data field. Furthermore,  another WG draft
draft-ietf-ipsecme-ipsec-ha<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ipsec-ha/>
define SADB information to be synchronized in the clusters. If DPD use its
unique sequence number , the number should also be synched as IKE SA
counters.

         #2:   Message Type
      RFC3706 define DPD  Message  as below:

     Notify                          Message Value
      R-U-THERE                   36136
      R-U-THERE-ACK           36137

      But I do not see these definition in draft-ietf-ipsecme-ikev2bis
<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ikev2bis/> or
http://www.iana.org/assignments/ikev2-parameters.

   So,  should we udpate RFC 3706 or make a detailed description in
draft-ietf-ipsecme-ikev2bis
<http://tools.ietf.org/wg/ipsecme/draft-ietf-ipsecme-ikev2bis/>?

v2.23.0 | Report a Bug | By Email