[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Racing QM Initiator's
On 14 Oct 99, at 8:53, Scott G. Kelly wrote:
> Valery Smyslov wrote:
>
> <trimmed...>
> >
> > Dan, it's OK with simultaneous phase 2 negotiations. But what about
> > simultaneous phase 1 negotiations? Is there any reason (besides
> > implementation simplicity) not to drop one of negotiation (of course,
> > with some clear rule to decide which one, for examble, based on IP
> > addresses comparison)?
>
> How about the case in which one of the phase 1 SAs requires ID PFS while
> the other one does not? The following diagram clarifies:
>
> +---+ | | +---+
> | A |--| +---+ +---+ |--| B |
> +---+ |--| x |==internet==| y |--| +---+
> | +---+ +---+ |
> +---+ | | +---+
> | C |--| |--| D |
> +---+ | | +---+
>
> Assume that x and y are security gateways which provide ipsec services
> to their respective local networks. Suppose that A wants to talk to D,
> and this SA requires ID PFS. Suppose that around the same time, B wants
> to talk to C, and this SA does not require PFS. When a packet A=>D
> arrives at x, x begins negotiating with y. Suppose a packet B=>C arrives
> at y prior to the arrival of x's first IKE packet, at which time y
> initiates IKE with x, and the two IKE packets are simultaneously in
> transit.
>
> This is a case in which it would be incorrect to drop one of the
> negotiations.
Good point. But robust implementations must be able to deal with
situation, when one peer thinks he can use existing ISAKMP SA while
the other don't think so, anyway. I think they must be able to
recover after dropping one negotiation (in fact, in your scenario,
dropped negotiation will just be deferred). Of course, if both peers
need ID PFS, there is no reason to drop.
>From my opinion, ID PFS is relatively rare thing to justify an extra
resource wasting (DH) in case of simultaneous phase 1 negotiations.
> Scott
Regards,
Valera.
References: