[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Racing QM Initiator's

To: Ben McCann <bmccann@indusriver.com>
Subject: Re: Racing QM Initiator's
From: Will Price <wprice@cyphers.net>
Date: Wed, 13 Oct 1999 15:54:27 -0700
CC: "ipsec@lists.tislabs.com" <ipsec@lists.tislabs.com>
References: <3804DAB3.6A8B3529@indusriver.com>
Reply-To: wprice@cyphers.net
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ben McCann wrote:
> 
> By dumb luck, I just had two SG's attempt a QM exchange with each
> other _at_the_same_time_. Each sent the first QM packet as
> initiator and each got that packet and tried to act as QM
> responder. Both got confused because they both switched from
> Initiator to Responder in mid-stream. 
> 
> Here was my test configuration:
> 
>         C1-----SG=======SG-----C2
> 
> Clients 1 and 2 (C1, C2) are both pinging each other. Policy on the
> SG's creates tunnel mode SA's for the ping traffic. The current
> Phase 2 SA for ping expires at the same time on both SG's. Then
> next ping send by each client triggers each SG to create a Phase 2
> SA.
> 
> What is the interoperable way to solve this race? I trolled through
> the list archives but didn't see anything relevant. Possibilities
> are: 
> 
> 1. Deal with it. Two QM exchanges occur where both SG's are
> temporarily both Phase 2 initiator and responder.

So you end up with two SAs.  No problem.

> (This could be tough because that
> state is part of the parent Phase 1 SA).


That's an implementation detail.  Either side can initiate a QM and
if they do it simultaneously and you end up with two SAs I don't see
why it would matter.  They're both perfectly valid.


> 2. Both SG's abort the QM exchange, backoff, and retry later.
> 
> 3. One SG aborts and becomes responder. How do you know which
> should abort? The SG with the lowest IP address?
> 
> I'm sure there are other options too. Any opinions are welcome...
> 
> Thanks,
> Ben McCann
> 
> --
> Ben McCann                              Indus River Networks
>                                         31 Nagog Park
>                                         Acton, MA, 01720
> email: bmccann@indusriver.com           web: www.indusriver.com
> phone: (978) 266-8140                   fax: (978) 266-8111

- -- 

Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.



-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOAUNj6y7FkvPc+xMEQJTVQCcCrACM3N1FEbKz3Q7QKJ4NSQOaZgAn0co
UEShfOHwr8tG52PH6BF6SvFr
=2haU
-----END PGP SIGNATURE-----

References:

Racing QM Initiator's

From: Ben McCann <bmccann@indusriver.com>

Prev by Date: Re: Racing QM Initiator's
Next by Date: Re: Racing QM Initiator's
Prev by thread: Re: Racing QM Initiator's
Next by thread: Re: Racing QM Initiator's
Index(es):
- Main
- Thread