[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: AggressiveMode issue
But the "NOTIFY-CONNECT message" may be lost on the way as well.
I think the last msg in an aggressive mode has to be kept for
retransmission, at least kep for a while.
> From owner-ipsec@portal.ex.tis.com Mon Apr 27 15:26:36 1998
> Message-Id: <319A1C5F94C8D11192DE00805FBBADDF063636@exchange.timestep.com.219.168.192.in-addr.arpa>
> From: Roy Pereira <rpereira@TimeStep.com>
> To: Tero Kivinen <kivinen@ssh.fi>
> Cc: ipsec@tis.com
> Subject: RE: AggressiveMode issue
> Date: Mon, 27 Apr 1998 13:43:00 -0400
> Mime-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.1960.3)
> Content-Type: text/plain
> Sender: owner-ipsec@ex.tis.com
> Precedence: bulk
> Content-Length: 2770
> Status: RO
>
> The problem with this approach is that an implementation would have to
> hold every ISAKMP message sent in a retransmission buffer. That is
> quite costly for a security gateway handling thousands of connections.
>
> Perhaps a better way is to use the COMMIT bit to require a
> NOTIFY-CONNECT message to be sent the the responder, then proceeding
> with the QuickMode exchange?
>
>
> > -----Original Message-----
> > From: Tero Kivinen [mailto:kivinen@ssh.fi]
> > Sent: Monday, April 27, 1998 11:09 AM
> > To: Roy Pereira
> > Cc: ipsec@tis.com
> > Subject: AggressiveMode issue
> >
> >
> > Roy Pereira writes:
> > > Not to delay the documents, but I have a question about
> > Aggressive Mode;
> > >
> > > When the Initiator sends out the third phase 1 message, how
> > does he know
> > > that the responder received it so that he can start the Quick Mode
> > > exchange?
> > >
> > > Initiator Responder
> > > --------- ---------
> > >
> > > MainMode:
> > ^^^^^^^^
> > I assume this should be aggressive mode...
> >
> > > 1 HDR, SA, KE, Ni, IDii -->
> > > 2 <-- HDR, SA, KE, Nr, IDir, HASH_R
> > > 3 HDR, HASH_I -->
> > >
> > > QuickMode:
> > > 1 HDR*, HASH(1), SA, Ni -->
> > > 2 <-- HDR*, HASH(2), SA, Nr
> > > 3 HDR*, HASH(3) -->
> > >
> > > The problem is that the responder might not get MM3 or that
> > he might get
> > > QM1 before he gets MM3.
> >
> > If the AG3 is lost and the initiator starts quick mode immediately,
> > the responder will just silently drop the first quick mode packet.
> > After some time the responder notices that it hasn't received the last
> > aggressive mode packet and retrasmits its seconds packet (AG2), and
> > when the initiator receives that it retrasmits its final packet (AG3).
> >
> > The initiator also keeps retrasmitting the QM1 packet until the
> > responder replies.
> >
> > So the exchange is like this:
> >
> > Initiator Responder
> > --------- ---------
> > AG1 HDR, SA, KE, Ni, IDii -->
> > AG2 <-- HDR, SA, KE, Nr, IDir, HASH_R
> > AG3 HDR, HASH_I -->| (this packet is lost)
> >
> > QM1 HDR*, HASH(1), SA, Ni --> (responder drops this)
> >
> > (responder times out and retrasmits)
> > AG2b <-- HDR, SA, KE, Nr, IDir, HASH_R
> >
> > (Initiator notices retransmit and retransmits its last packet
> >
> > AG3b HDR, HASH_I -->
> > (aggressive mode done,
> > phase I done).
> >
> > (Initiators quick mode times out and it retransmits the packet)
> > QM1b HDR*, HASH(1), SA, Ni -->
> > QM2 <-- HDR*, HASH(2), SA, Nr
> > QM3 HDR*, HASH(3) -->
> >
> > (quick mode exchange done, phase II done).
> > --
> > kivinen@iki.fi Work : +358-9-4354 3218
> > SSH Communication Security http://www.ssh.fi/
> > SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
> >
>