[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Racing QM Initiator's
But aren't these two messages going out with different message IDs
generated randomly by each Phase II initiator? If so, why is there
a problem ? This will result in two IPSec SAs where one would have
been sufficient but I don't view that as catastrophic.
What am I missing?
vipul
> Date: Wed, 13 Oct 1999 15:17:07 -0400
> From: Ben McCann <bmccann@indusriver.com>
>
> By dumb luck, I just had two SG's attempt a QM exchange with each
> other _at_the_same_time_. Each sent the first QM packet as initiator and
> each got that packet and tried to act as QM responder. Both got confused
> because they both switched from Initiator to Responder in mid-stream.
>
> Here was my test configuration:
>
> C1-----SG=======SG-----C2
>
> Clients 1 and 2 (C1, C2) are both pinging each other. Policy on the
> SG's creates tunnel mode SA's for the ping traffic. The current Phase
> 2 SA for ping expires at the same time on both SG's. Then next ping
> send by each client triggers each SG to create a Phase 2 SA.
>
> What is the interoperable way to solve this race? I trolled through
> the list archives but didn't see anything relevant. Possibilities are:
>
> 1. Deal with it. Two QM exchanges occur where both SG's are temporarily
> both Phase 2 initiator and responder. (This could be tough because that
> state is part of the parent Phase 1 SA).
>
> 2. Both SG's abort the QM exchange, backoff, and retry later.
>
> 3. One SG aborts and becomes responder. How do you know which should
> abort? The SG with the lowest IP address?
>
> I'm sure there are other options too. Any opinions are welcome...
>
> Thanks,
> Ben McCann
>
> --
> Ben McCann Indus River Networks
> 31 Nagog Park
> Acton, MA, 01720
> email: bmccann@indusriver.com web: www.indusriver.com
> phone: (978) 266-8140 fax: (978) 266-8111
Follow-Ups: