IETF Logo Mail Archive

Re: [Tcpcrypt] New version of the charter text

Tero Kivinen <kivinen@iki.fi> Mon, 28 April 2014 12:30 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3D211A09A9 for <tcpcrypt@ietfa.amsl.com>; Mon, 28 Apr 2014 05:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.653
X-Spam-Level:
X-Spam-Status: No, score=-0.653 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gC5KJBKUr84V for <tcpcrypt@ietfa.amsl.com>; Mon, 28 Apr 2014 05:30:26 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 369EE1A0710 for <tcpcrypt@ietf.org>; Mon, 28 Apr 2014 05:30:25 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.7) with ESMTP id s3SCUCQa026664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 28 Apr 2014 15:30:12 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.14.7/Submit) id s3SCUBpA019151; Mon, 28 Apr 2014 15:30:11 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21342.18899.736731.804370@fireball.kivinen.iki.fi>
Date: Mon, 28 Apr 2014 15:30:11 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: John-Mark Gurney <jmg@funkthat.com>
In-Reply-To: <20140424155532.GR43976@funkthat.com>
References: <53576572.5030805@it.uc3m.es> <53589161.4090700@mti-systems.com> <20140424155532.GR43976@funkthat.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 8 min
X-Total-Time: 8 min
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/v2T2nFsv3VpeGT7Y6S7n7m8aE2Q
Cc: Wesley Eddy <wes@mti-systems.com>, tcpcrypt@ietf.org
Subject: Re: [Tcpcrypt] New version of the charter text
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 12:30:29 -0000

John-Mark Gurney writes:
> The goal is to make it very easy for everyone to deploy...  Configuring
> IPSEC is a pain, and as Joe mentions, most implementations don't handle
> key roll over properly (even though apparently, you're allowed to keep
> both the old key and the new key around for the transition period to
> handle this case)...

Of course there can be buggy IPsec implementations which do not follow
the rules set in the RFCs and which loose some packets when doing
rekeying, but same applies to any protocol.

The current IPsec specifications (IKEv2, RFC5996) do specify how rekey
happens and it is specified so that no packets are lost: i.e. first
create new Child SA proactively, i.e. before the old Child SA expires;
then wait for traffic to move to this new SA (i.e. when you see
packets on new Child SA, you know that other end has installed it);
and only then remove old Child SA.

See section 2.8 of RFC 5996.

In the IKEv1 (from 1998, obsoleted in 2005) the rekeying was not
specified properly and there quite often was problems with
implementations which caused them to loose some packets while
rekeying. Usually those old implementations did work properly against
themselves, but when talking to someone else which implemented things
differently they might have lost few packets. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email