[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Racing QM Initiator's

To: Sankar Ramamoorthi <Sankar@vpnet.com>
Subject: Re: Racing QM Initiator's
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Wed, 13 Oct 1999 21:35:27 -0700
cc: "'Scott G. Kelly'" <skelly@redcreek.com>, Jan Vilhuber <vilhuber@cisco.com>, Ben McCann <bmccann@indusriver.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Wed, 13 Oct 1999 20:46:03 PDT." <D899E9E27BE9D211842200805FA67B431B9575@vpnet.com>
Sender: owner-ipsec@lists.tislabs.com

  A TCP service (which, if you read the Stevens chapter is bound to
both a source and destination port) can get away with having only one 
connection with simultaneous opens because that service only does one 
thing. A different example is BGP in which one side can be both doing a 
connect to a particular host and an accept on the BGP tcp port. The 
connect and accept can both happen "simultaneously" but only one 
particular connection results (the unpreferable connection will be 
dropped). 

  But IKE is different. In IKE there can be 2 simultaneous Quick
Modes which could be the result of different packets hitting different
selectors both of which would need IPSec SAs but both can multiplex
off the same existing IKE SA. You can't just arbitrarily drop a 
negotiation because you're already negotiating with that IKE peer.

  Basically, you have to allow simultaneous negotiation or else you 
would not be able to support a configuration which had different 
traffic selectors (optionally using different IPSec policy) to the
same gateway. 

  Dan.

On Wed, 13 Oct 1999 20:46:03 PDT you wrote
> While I agree with the notion of supporting multiple independent SAs
> 
> this question is more out of curiosity.
> 
> >From Richard Steven's TCP/IP Volume 1 Chapter 18.8 paragraph 4
> 
> 'TCP was purposely designed to handle simultaneous opens and the rule is
> only one
> connection results from this, not two connections. (Other protcol suites,
> notably the OSI transport layer, create two connections in this scenario,
> not one).'
> I believe there is similiar wording in RFC 793 emphasising simultaneous
> open.
> 
> I don't know if there is a particular advantage to this feature.
> During the initial design of IKE did such an approach (simultaneous
> connections
> resulting in one connection) come up in the discussions? Is it worthwhile
> or feasible for a security protocol?
> 
> Thanks,
> 
> -- sankar --
> 
> 
> 
> -----Original Message-----
> From: Scott G. Kelly [mailto:skelly@redcreek.com]
> Sent: Wednesday, October 13, 1999 6:27 PM
> To: Radha Gowda
> Cc: Jan Vilhuber; Ben McCann; ipsec@lists.tislabs.com
> Subject: Re: Racing QM Initiator's
> 
> 
> Radha Gowda wrote:
> 
> > > To the list at large:
> > >
> > > Why can't we put verbiage like this into the RFC? Is there some reason
> this
> > > is a bad thing to do?
> > 
> > I also would like to point out to the list that Diffie-Hellman calculation
> does
> > not
> > come cheap for some of us (atleast for now).
> 
> I think the point is that we must be able to support independent
> simultaneous SAs between security gateways. Otherwise, how will we
> provide PFS? If you cannot handle the DH calculation, then I suppose
> that you can serialize these, but this is not a good argument for
> dumbing down the standard, is it?
> 
> Scott

Follow-Ups:

Re: Racing QM Initiator's

From: "Valery Smyslov" <svan@trustworks.com>

References:

RE: Racing QM Initiator's

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Prev by Date: RE: Racing QM Initiator's
Next by Date: PPP over IPSec (without L2TP)?
Prev by thread: RE: Racing QM Initiator's
Next by thread: Re: Racing QM Initiator's
Index(es):
- Main
- Thread