Re: Racing QM Initiator's

["Scott G. Kelly" <skelly@redcreek.com>]

Valery Smyslov wrote:

<trimmed...>
> 
> Dan, it's OK with simultaneous phase 2 negotiations. But what about
> simultaneous phase 1 negotiations? Is there any reason (besides
> implementation simplicity) not to drop one of negotiation (of course,
> with some clear rule to decide which one, for examble, based on IP
> addresses comparison)?

How about the case in which one of the phase 1 SAs requires ID PFS while
the other one does not? The following diagram clarifies:

+---+  |                          |  +---+
| A |--|  +---+            +---+  |--| B |
+---+  |--| x |==internet==| y |--|  +---+
       |  +---+            +---+  |
+---+  |                          |  +---+
| C |--|                          |--| D |
+---+  |                          |  +---+

Assume that x and y are security gateways which provide ipsec services
to their respective local networks. Suppose that A wants to talk to D,
and this SA requires ID PFS. Suppose that around the same time, B wants
to talk to C, and this SA does not require PFS. When a packet A=>D
arrives at x, x begins negotiating with y. Suppose a packet B=>C arrives
at y prior to the arrival of x's first IKE packet, at which time y
initiates IKE with x, and the two IKE packets are simultaneously in
transit.

This is a case in which it would be incorrect to drop one of the
negotiations.

Scott

---

Follow-Ups:

• Re: Racing QM Initiator's
• From: "Valery Smyslov" <svan@trustworks.com>

References:

• RE: Racing QM Initiator's
• From: Sankar Ramamoorthi <Sankar@vpnet.com>
• Re: Racing QM Initiator's
• From: "Valery Smyslov" <svan@trustworks.com>

---

• Prev by Date: RE: request
• Next by Date: Re: PPP over IPSec (without L2TP)?
• Prev by thread: Re: Racing QM Initiator's
• Next by thread: Re: Racing QM Initiator's
• Index(es):
  • Main
  • Thread