[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPI in Delete Payload of IKE / IKEv2

To: "Atsuhiro Tsuji" <tsuji.atsuhiro@jp.panasonic.com>
Subject: Re: SPI in Delete Payload of IKE / IKEv2
From: Charlie_Kaufman@notesdev.ibm.com
Date: Sun, 9 Mar 2003 21:24:29 -0500
Cc: ipsec@lists.tislabs.com, owner-ipsec@lists.tislabs.com, "'Atsuhiro Tsuji'" <tsuji.atsuhiro@jp.panasonic.com>
In-Reply-To: <001201c2e442$f01c5bc0$cb06b684@isl.mei.co.jp>
Sender: owner-ipsec@lists.tislabs.com

Note: this exchange has uncovered an unintended difference between IKEv1
and IKEv2. Question for the list: should I change IKEv2 to match (assuming
it's true that IKEv1 works as described).

"Yoav Nir" <ynir@checkpoint.com> wrote:
> Hi,
>
> You send a Delete-SA to stop the peer from using that SA.  The IPsec SA
is
> outbound for the peer, but inbound for you.
>
> If A and B negotiate an IPsec SA, A sends ESP packets with SPI 17, and B
> sends packets with SPI 49.  If A wants this traffic to stop, he sends B a
> Delete payload with the SPI field 49.
>
> To stop transmissions on SPI 17, A needs not send out anything.  It is
> enough that he stops using it.  It might have been nice to also be able
to
> tell peer B that no more traffic will come with SPI 17, so that peer B
has
> an easier time dropping fake packets, but this is not in the spec.
>
> Hope this helps.
>
> Yoav Nir

"Atsuhiro Tsuji" <tsuji.atsuhiro@jp.panasonic.com> wrote:
> Thank you for your telling me the spec. of Delete Payload.
> I understand that is reasonable under the current spec.
>
> By the way, I wonder you don't mind that you tell me where the spec.
> is written.

For IKEv2 (draft-ietf-ipsec-ikev2-05.txt), the processing is described in
Section 3.11: Delete Payload. It says:

"Deletion of the IKE-SA is indicated by a Protocol-Id of 0 (IKE) but no
SPIs. Deletion of a CHILD-SA, such as ESP or AH, will contain the
Protocol-Id of that protocol (1 for ESP, 2 for AH) and the SPI is the SPI
the sending endpoint would place in outbound ESP or AH packets."

So in IKEv2, you identify the SA to delete by the SPI chosen by the other
end. Apparently in IKEv1, it was identified by the SPI chosen by you.

> On the other hand,
> I think it is useful we can tell the deletion of the outbound SA to the
peer,
> and I wonder why don't we specify it...
> Because "Simple is Best."?
> Have anyone discussed this?

For IKEv2, this is discussed in section 1.4 The INFORMATIONAL Exchange. The
ESP SAs in the two directions MUST be closed together. When you get a
request to close one side, you MUST close the other (unless it's already
closed in an unlikely race condition where both ends decide to close the
SAs simultaneously).

I don't know how this was handled in IKEv1.

          --Charlie

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Follow-Ups:
- Re: SPI in Delete Payload of IKE / IKEv2
  - From: "Atsuhiro Tsuji" <tsuji.atsuhiro@jp.panasonic.com>

References:
- Re: SPI in Delete Payload of IKE / IKEv2
  - From: "Atsuhiro Tsuji" <tsuji.atsuhiro@jp.panasonic.com>

Prev by Date: Re: comments on ikev2 05 (cryptography)
Next by Date: Re: bidding down attach on NAT-T
Prev by thread: Re: SPI in Delete Payload of IKE / IKEv2
Next by thread: Re: SPI in Delete Payload of IKE / IKEv2
Index(es):
- Date
- Thread