[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 3.4 - 4.3
Andrew Krywaniuk wrote:
>
>> 4.2.A) How important is it that SOI be able to create multiple SA's
>> between a pair of entities "cheaply"?
>
>"How fast should the protocol be?" is not really a yes or no question. We
>need to make optimizations wherever they will be useful.
>
>There are lots of scenarios where amortization of SA negotiation can be
>useful:
>
>a) When you negotiate multiple SAs at the same time. The use of
multiple SAs
>can be replaced by a single SA with complex selectors in some cases,
but QoS
>is an obvious counter-example.
>
>b) Handling protocols which use dynamic port assignment. Here you may
either
>want to negotiate a new SA or update the selectors of an existing SA (aka
>policy agreement). Either case requires a management channel of some kind.
>
>c) In the remote access case, you use the DHCP configuration of tunnel
mode
>protocol to setup an initial SA (or one of the forbidden protocols), and
>then immediately create a new SA with updated selectors.
>
>d) Just for speeding up phase 2 rekeying. I already explained in a
previous
>thread how you can use a PFS interval to negotiate 2 SAs for the price of
>one DH (steady-state).
>
>
>> 4.2.B) How often will usage scenarios of SOI need to generate multiple
>> SA's between a single pair of entites?
>
>It certainly depends on the usage scenario. At this point, we can only
>speculate how widely QoS will be used in the future. Remote access will
>require it consistently. Some scenarios won't require it at all.
>
>
>> 4.3.A) Both JFK and IKEv2 provide dead peer detection via a
>> "keep-alive" mechanism. The functionality provided is roughly
>> identical. Does anyone care about how low-level implementation
>> details of IKEv2 and JFK?
>
>Well yes, I care. I think that just "do a ping whenever you want" is a
>little too freeform. There should be some guidelines. Also, the messages
>should be replay-protected, which is done automatically in IKEv2 and
>optionally in JFK. Finally, piggybacking on data SAs is not exactly
ideal. I
>think there should be a separate control channel.
>
If phase1 SA is used as the control channel for keep-alive messages,
what are the implications with regard to PFS? That is, if PFS is used
to rekey the ipsec session key after an interval for
perfect-forward-secrecy, is it okay to continue using the phase1 SA
for keep alive packets with out worrying about PFS?
>
>> 4.3.B) Should the working group consider other schemes which provide
>> the same functionality as dead peer detection? (i.e., birth
>> certificates, see section 3.5 in draft-ietf-ipsec-soi-features-01.txt)
>
>Sure, let's consider them. Birth certificates handle one type of DPD, but
>they are not a self-contained solution. If a peer reboots and comes up
at a
>different address then the system won't detect the failure.
>
Yes, it would be nice to address that case. Another example is when
the peer fails over to a backup box which may not have the same birth
certificate.
-- sankar ramamoorthi (sankarr@juniper.net) --
>Andrew
>-------------------------------------------
>There are no rules, only regulations. Luckily,
>history has shown that with time, hard work,
>and lots of love, anyone can be a technocrat.
>
>
>