Error recovery?

[Hans-Joachim Knobloch <hajo@knobloch.de>]

Please excuse, if this is a FAQ or if I was simply too blind to find the
answer in the RFCs and drafts on IPSec.

Consider the case that two hosts communicate via two IPSec security
gateways
             A <---> SG1 <-----> SG2 <---> B

and that appropriate ISAKMP and IPSec SAs are established. Let us call
these SAs SA1, SA2AB and SA2BA respectively.
Now what happens, when SG2 is reset?

When B sends a packet to A everything should be fine, since SG2 will
initiate new phase 1 and phase 2 exchanges.
But what if A sends a packet to B? SG1 will process the packet with the
old IPsec SA2AB and SG2 will receive a packet with a most probably unknown
SPI. Is this supposed to happen until SA2AB does "naturally expire"?
Do we have to set SA lifetime short enough and/or hope that B will also
send a packet more sooner than later?

Alternatively one could imagine that SG2 sends SG1 some kind of
(ICMP?) message to tell it to invalidate SA2AB. But then, this might be
abused by an attacker to cause unnecessary ISAKMP traffic and a service
disruption until new SAs are installed.

In the above example, when SA2AB expires, SG1 will probably initiate a
phase 2 exchange with the old SA1. What is the correct way for SG2 to
respond to this? Initiate a nes phase 1 exchange? Send an error
notification to SG2 (then necessarily unencrypted due to nonexistant
ISAKMP SA)? The latter might open up a denial-of-service attack by sending
spoofed error notifications to make SG1 invalidate its existing SAs and
thus cause lots of unnecessary ISAKMP traffic and service disruption.

Hansi

---

• Prev by Date: Re: IKE negotiation/rekeying problem with RSIP
• Next by Date: FBI secret police FAQ#1
• Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-flow-monitoring-mib-00.txt
• Next by thread: RE: Error recovery?
• Index(es):
  • Main
  • Thread