[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMP commit bit and connected notifications

To: ipsec@lists.tislabs.com
Subject: ISAKMP commit bit and connected notifications
From: sami.vaarala@netseal.com
Date: Tue, 28 Mar 2000 13:48:11 +0300
Organization: NetSeal Technologies
Sender: owner-ipsec@lists.tislabs.com


Sorry for bringing this up yet again,

Can anyone give a solid reasoning as to WHY we need commit bit or
connected notifications at all?  As far as I can tell, a connected
notification does not guarantee a consistent outcome of an exchange
any more than an exchange without a connected notification.

The "three army" problem seems to apply:
  - if the last message IS critical to the consistent completion, it
    must not be dropped or otherwise the exchange fails to complete
    consistently
    [if not, this message is not critical after all, right?]
  - on the other hand, if the message is not critical, we can remove
    the message from the exchange.
  - continuing this way, we end up in a situation where the last message
    is critical [for IKE, connected notifications are non-critical].
    Yet, we cannot guarantee its delivery (by the very nature of IP).

As far as I can see, the best (only?) solution is to keep connection
state for a while after sending the last message.  If a duplicate of a
previous message arrives, resend the last message.  Keep doing this for
some sane timeout value (e.g. 3*round-trip), perhaps applying a sanity
rate limiter to avoid flood attacks. This guarantees consistent
completion to a certain probability (not 100%), which you can tune by
choosing an appropriate timeout value.

(The same reasoning applies to e.g. TCP connection teardown; there is
no 100% guaranteed way of tearing down a TCP connection and TCP uses a
similar timeout strategy.)

Do others agree with this reasoning?  If so, I suggest the following:
    - deprecate the commit bit from ISAKMP (or the IKE exchanges)
    - add wordage about proper behavior wrt last exchange message
      (encourage a behavior that works robustly) to either ISAKMP or
      IKE spec
    - acknowledged notifications should mandate this last message
      behavior (otherwise they aren't any more guaranteed than normal
      notifications)
    - normal notifications cannot benefit from the last message strategy
      because there is only one message to send; wordage about this
      should be added to clarify the difference between acknowledged
      notifications

This is a "phase out" strategy; older implementations may continue to
support commit bit but newer ones should not mandate commit bit
processing.

--
Sami Vaarala (sami.vaarala@netseal.com)
NetSeal Technologies
http://www.netseal.com/

Prev by Date: Re: Heartbeats draft (fwd)
Next by Date: Re: Heartbeats draft available
Prev by thread: IPSec and the AES
Next by thread: RE: ISAKMP commit bit and connected notifications
Index(es):
- Main
- Thread