[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Racing QM Initiator's
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ben McCann wrote:
>
> By dumb luck, I just had two SG's attempt a QM exchange with each
> other _at_the_same_time_. Each sent the first QM packet as
> initiator and each got that packet and tried to act as QM
> responder. Both got confused because they both switched from
> Initiator to Responder in mid-stream.
>
> Here was my test configuration:
>
> C1-----SG=======SG-----C2
>
> Clients 1 and 2 (C1, C2) are both pinging each other. Policy on the
> SG's creates tunnel mode SA's for the ping traffic. The current
> Phase 2 SA for ping expires at the same time on both SG's. Then
> next ping send by each client triggers each SG to create a Phase 2
> SA.
>
> What is the interoperable way to solve this race? I trolled through
> the list archives but didn't see anything relevant. Possibilities
> are:
>
> 1. Deal with it. Two QM exchanges occur where both SG's are
> temporarily both Phase 2 initiator and responder.
So you end up with two SAs. No problem.
> (This could be tough because that
> state is part of the parent Phase 1 SA).
That's an implementation detail. Either side can initiate a QM and
if they do it simultaneously and you end up with two SAs I don't see
why it would matter. They're both perfectly valid.
> 2. Both SG's abort the QM exchange, backoff, and retry later.
>
> 3. One SG aborts and becomes responder. How do you know which
> should abort? The SG with the lowest IP address?
>
> I'm sure there are other options too. Any opinions are welcome...
>
> Thanks,
> Ben McCann
>
> --
> Ben McCann Indus River Networks
> 31 Nagog Park
> Acton, MA, 01720
> email: bmccann@indusriver.com web: www.indusriver.com
> phone: (978) 266-8140 fax: (978) 266-8111
- --
Will Price, Architect/Sr. Mgr., PGP Client Products
Total Network Security Division
Network Associates, Inc.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBOAUNj6y7FkvPc+xMEQJTVQCcCrACM3N1FEbKz3Q7QKJ4NSQOaZgAn0co
UEShfOHwr8tG52PH6BF6SvFr
=2haU
-----END PGP SIGNATURE-----
References: