Re: Racing QM Initiator's

["Shawn Mamros" <smamros@nortelnetworks.com>]

>Here was my test configuration:
>
>        C1-----SG=======SG-----C2
>
>Clients 1 and 2 (C1, C2) are both pinging each other. Policy on the
>SG's creates tunnel mode SA's for the ping traffic. The current Phase
>2 SA for ping expires at the same time on both SG's. Then next ping
>send by each client triggers each SG to create a Phase 2 SA.
>
>What is the interoperable way to solve this race? I trolled through
>the list archives but didn't see anything relevant. Possibilities are:
>
>1. Deal with it. Two QM exchanges occur where both SG's are temporarily
>both Phase 2 initiator and responder. (This could be tough because that
>state is part of the parent Phase 1 SA).

This is really the only sensible way to do it.  You have to be able
to handle more than one QM at a given time, as either initiator or
responder.  Think about the case where you have, say, a C3 behind
the left hand side SG, and C1 is trying to send traffic to C2 at
the same time as C2 is trying to send to C3.  It would be the same
situation, except the QM IDs (and perhaps other attributes) would
be different for the two negotiations.  Gotta be able to handle it.

>2. Both SG's abort the QM exchange, backoff, and retry later.

Could lead to a never-ending standoff.  Might work for Ethernet, but
not over a wide area network where packets get lost, etc.

>3. One SG aborts and becomes responder. How do you know which should
>abort? The SG with the lowest IP address?

Not a good move either.  What if somebody is using NAT?  (Regardless
of all the other places where NAT may or may not break things, it's
not a good idea to add yet another...)

-Shawn Mamros
E-mail to: smamros@nortelnetworks.com

---

• Prev by Date: Racing QM Initiator's
• Next by Date: Re: Racing QM Initiator's
• Prev by thread: Re: Racing QM Initiator's
• Next by thread: Re: Racing QM Initiator's
• Index(es):
  • Main
  • Thread