Racing QM Initiator's

[Ben McCann <bmccann@indusriver.com>]

By dumb luck, I just had two SG's attempt a QM exchange with each
other _at_the_same_time_. Each sent the first QM packet as initiator and
each got that packet and tried to act as QM responder. Both got confused
because they both switched from Initiator to Responder in mid-stream.

Here was my test configuration:

	C1-----SG=======SG-----C2

Clients 1 and 2 (C1, C2) are both pinging each other. Policy on the
SG's creates tunnel mode SA's for the ping traffic. The current Phase
2 SA for ping expires at the same time on both SG's. Then next ping
send by each client triggers each SG to create a Phase 2 SA.

What is the interoperable way to solve this race? I trolled through
the list archives but didn't see anything relevant. Possibilities are:

1. Deal with it. Two QM exchanges occur where both SG's are temporarily
both Phase 2 initiator and responder. (This could be tough because that
state is part of the parent Phase 1 SA).

2. Both SG's abort the QM exchange, backoff, and retry later.

3. One SG aborts and becomes responder. How do you know which should
abort? The SG with the lowest IP address?

I'm sure there are other options too. Any opinions are welcome...

Thanks,
Ben McCann

-- 
Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111

---

Follow-Ups:

• Re: Racing QM Initiator's
• From: Radha Gowda <rxg@openroute.com>
• Re: Racing QM Initiator's
• From: Will Price <wprice@cyphers.net>

---

• Prev by Date: Fwd: I-D ACTION:draft-shacham-ippcp-rfc2393bis-01.txt
• Next by Date: Re: Racing QM Initiator's
• Prev by thread: Fwd: I-D ACTION:draft-shacham-ippcp-rfc2393bis-01.txt
• Next by thread: Re: Racing QM Initiator's
• Index(es):
  • Main
  • Thread