[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: issues raised at VPN interoperability workshop

To: ipsec@lists.tislabs.com
Subject: Re: issues raised at VPN interoperability workshop
From: Will Fiveash <will@austin.ibm.com>
Date: Mon, 31 Jan 2000 18:26:43 -0600
In-Reply-To: <319A1C5F94C8D11192DE00805FBBADDF0113B09E@exchange>; from akrywaniuk@TimeStep.com on Thu, Jan 27, 2000 at 04:19:39PM -0500
Mail-Followup-To: ipsec@lists.tislabs.com
References: <319A1C5F94C8D11192DE00805FBBADDF0113B09E@exchange>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.1.2i

On Thu, Jan 27, 2000 at 04:19:39PM -0500, Andrew Krywaniuk wrote:
> I don't think this is a fair assumption. If I am not expecting a
> NOTIFY_CONNECTED then I will most likely delete my quick mode object soon
> after sending QM3. (I will keep it around for a little while in case I need
> to retransmit.) This creates a race conditions: If your spurious
> NOTIFY_CONNECTED arrives after I have deleted my quick mode object then I
> will not know what to do with it. (In fact, I will most likely think that it
> is a malformed QM1.)

If your implementation receives a spurious connect-notify will it affect
(i.e. delete) the previously negotiated P2 SA?  I hope it won't.

The reason I implemented the responder sending the connect-notify (C-N) if
commit bit (CB) was turned off by the initiator is that during the San
Diego bakeoff I encountered an implementation where as the initiator it did
not reflect the CB yet expected the C-N.  Yes, I know the implementation
was broken but I thought that sending a C-N would not really hurt even if
the initiator was not expecting it and should increase the likelihood
successful IPSec tunnel creation. 

If we can all agree that an implementation MUST reflect the CB if they
intend to honor it otherwise they should not reflect the CB then I would
not send the C-N as a responder if the initiator did not reflect it.

> Aside from the fact that the CB doesn't really accomplish much unless the
> peer's implementation queues packets (I suspect that most sgws don't) and
> yours doesn't...
> 
> 1. The initiator has ample opportunity to setup his SA before the responder
> uses it.
> 2. The initiator was the one who decided to initiate the SA. Therefore, one
> can conclude that he will also be the first one to use it.

I'm not sure this is true.  Let's say Host A initiates the 1st QM
negotiation for a IPSec tunnel between Host A and Host B then Host B
initiates the next QM negotiation that will refresh the P2 SA for the IPSec
tunnel between them because Host B's P2 SA lifetime was shorter than Host
A's.  Which host will be the first to use the new P2 SA? 

> The commit bit fixes a race condition that only affects the responder. If
> the responder wants to send the connected notify then he should set the bit
> himself.

But isn't it possible that whomever is initiating may want the responder to
have its P2 SA in place so that it is less likely to drop the initiator's
packets?

-- 
Will Fiveash
IBM AIX System Development        Internet: will@austin.ibm.com
11400 Burnet Road, Bld.905/9551   Notes: will@austin.ibm.com
Austin, TX 78758-3493  Phone:(512) 838-7904(off)/3509(fax), T/L 678-7904

References:

RE: issues raised at VPN interoperability workshop

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: RE: Bruce Schneier on IPsec
Next by Date: Re: issues raised at VPN interoperability workshop
Prev by thread: RE: issues raised at VPN interoperability workshop
Next by thread: RE: issues raised at VPN interoperability workshop
Index(es):
- Main
- Thread