[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Byte-count lifetime enforcement?



As I was chasing bugs in lifetime counts, particularly that my _outbound_
number of bytes wasn't consistent with the _inbound_ number of bytes, the
thought occurred to me that, while I am self-consistent (after fixing said
bug, of course), I might not be consistent with others.

This _may_ be an interoperability issue in that one side's byte-count will
expire before the other side's, leaving one side using an SA that is expired
on the other side.  If I'm missing something here (an ISAKMP Notification of
some kind?), please let me know.  If I'm not missing anything, read on for
more details.

...

The Architecture document touches upon this issue with the following text:

                   (a) If byte count is used, then the implementation
                       SHOULD count the number of bytes to which the IPsec
                       algorithm is applied.

But for ESP, _WHICH_ algororithm?  The number of bytes applied with
encryption will be different than authentication.

We have several options for "number of bytes" counts:

   * Number of bytes in the "protected" portion of the datagram, before any
     security is applied.  This means the transport payload length or the
     inner datagram total length.

   * Number of bytes that get crunched through the _primary_ algorithm.
     For ESP, this is encryption (and null encryption counts here), and for
     AH, it would be authentication.  This would include pad bytes, etc.

   * Some other method of byte count, TBD.

Any "accepted" method?  It's nice to be consistent with your implementation,
but we ARE in the interoperability business; it would be nice to be
consistent with others too.

Dan


Follow-Ups: