[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Phase 1 Re-keying Implementation Identification

To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: Phase 1 Re-keying Implementation Identification
From: Tim Jenkins <tjenkins@TimeStep.com>
Date: Tue, 16 Nov 1999 10:25:59 -0500
Sender: owner-ipsec@lists.tislabs.com

Greetings,

At the 46th IETF last week, I again presented the re-keying document. In
that presentation and in the re-keying document, I described two methods of
phase 1 re-keying.

One of these I called "phase 2 SA dangling". In this method, an
implementation does not necessarily keep any valid phase 1 SAs alive while
there are phased 2 SAs between it and another peer. In other words, the
phase 2 SAs may "dangle" without the existence of a control channel.

The other method is what I called the "continuous channel" method. In this
method, an implementation always keeps at least one phase 1 SA up between
itself and a peer when there are any phase 2 SAs up between them. If, for
any reason, there are no phase 1 SAs between the peers, all phase 2 SAs
would be torn down as well.

However, this leads to a potential interoperability issue between the two
methods, since a continuous channel implementation would delete phase 2 SAs
when a dangling phase 2 SA peer deletes the phase 1 SA between them.

To correct this, a continuous channel implementation could choose to not
delete phase 2 SAs when it received a delete notification for the only phase
1 SA that exists.

However, this leads to problems if the peer is also a continuous channel
model. Note that this can occur since delete notifications for all SAs are
both optional and send without acknowledgement over UDP.

So, I asked if there was interest in allowing vendors to be able to
determine if the peer is also a continuous channel model.

Obviously, if a vendor sends a vendor ID payload, the implementation can
determine that it is talking to itself, and thus determine which phase 1
re-keying model it uses.

So: Is there any interest in this? How many vendors are using the continuous
channel model?

Please note that this has absolutely no effect on dangling phase 2 SA
implementations. It has already been stated that continuous channel model
implementation should be dangling phase 2 SA implementation aware if they
cannot determine the nature of the peer implementation.

If there is, what method would be suggested?

(One potential method is the exchange of a specific vendor ID, but this goes
against the intent of the vendor ID payload. Unfortunately, there doesn't
seem to be a feature negotiation capability in IKE.)

Thanks,

Tim

---
Tim Jenkins                       TimeStep Corporation
tjenkins@timestep.com          http://www.timestep.com
(613) 599-3610 x4304               Fax: (613) 599-3617

Follow-Ups:

Re: Phase 1 Re-keying Implementation Identification

From: Slava Kavsan <bkavsan@ire-ma.com>

Re: Phase 1 Re-keying Implementation Identification

From: Will Price <wprice@cyphers.net>

Prev by Date: Buffer Management for IPsec
Next by Date: Re: Phase 1 Re-keying Implementation Identification
Prev by thread: Buffer Management for IPsec
Next by thread: Re: Phase 1 Re-keying Implementation Identification
Index(es):
- Main
- Thread