[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ipsec error protocol

To: "Scott G. Kelly" <skelly@redcreek.com>, <fd@cisco.com>
Subject: RE: ipsec error protocol
From: "sankar ramamoorthi" <sankar@nexsi.com>
Date: Thu, 18 Jan 2001 11:50:35 -0800
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <3A65F0D4.8D7F1FE0@redcreek.com>
Sender: owner-ipsec@lists.tislabs.com

Hi,

You point out the following drawbacks for the ipsec error/control mechanism

1) overhead of maintaining an additionals sa state
2) may reqired additional SA characterstic in DOI vs ike

I would like to point out the proposed scheme does not require
a phase2 SA or associated state maintaineance. It only requires
that ipsec reserve an spi for control purposes. That SPI could
be used to define an ipsec control packet encapsulation which
can carry error/control information about the state of other ipsec
SAs.

Also the change is really specific to ipsec - in that sense it is
not DOI specific.

Welcome your comments.

-- sankar --

-----Original Message-----
From: Scott G. Kelly [mailto:skelly@redcreek.com]
Sent: Wednesday, January 17, 2001 11:22 AM
To: fd@cisco.com
Cc: sankar ramamoorthi; ipsec@lists.tislabs.com
Subject: Re: ipsec error protocol

Hi Frederic,

Frédéric Detienne wrote:
>
> In this case, you assume there is a phase 2 SA available and identified
> by a reserved SPI. What if the host crashed ? It does not have a phase
> 2, and would have to negotiate a new one, possibly involing a phase 1,
> thus opening the door to clogging.

But the crashed host is precisely what you are trying to detect, and in
this case, you will need to set up at least one new ike SA anyway, so
this is not persuasive.

> This is just an other way to transport a delete notification or a
> keepalive but has the same drawbacks as the solutions proposed so far.
>
> ISAKMP already proposes such a mechanism (notification payloads
> -- except keepalives) but as they are unauthenticated, they can
> not be trusted.

<stuff trimmed...>

Use of an explicit phase 2 SA for this has been suggested by at least 2
other wg participants, if I remember correctly. What are the benefits vs
drawbacks of this
when compared to an ike-based solution?

Benefits:
o allows you to eliminate the ike/stack interaction required of an
ike-based mechanism
o phase 2 control messages could be authenticated without changing ike

Drawbacks:
o overhead for maintaining additional SA state
o may require definition of additional SA characteristic in DOI (ike vs
control), although not strictly necessary

I'm sure there are other entries in each list - I invite others to add
to these lists.

Scott

References:

Re: ipsec error protocol

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: RE: ipsec error protocol
Next by Date: Re: ipsec error protocol
Prev by thread: Re: ipsec error protocol
Next by thread: RE: ipsec error protocol
Index(es):
- Main
- Thread