[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: QoS selectors (was LAST CALL: IKE)

To: Black_David@emc.com
Subject: RE: QoS selectors (was LAST CALL: IKE)
From: Stephen Kent <kent@bbn.com>
Date: Tue, 1 Jul 2003 10:58:46 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <277DD60FB639D511AC0400B0D068B71E0564CE65@corpmx14.us.dg.com>
References: <277DD60FB639D511AC0400B0D068B71E0564CE65@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com

At 7:57 PM -0400 6/30/03, Black_David@emc.com wrote:
>Steve,
>
>>  At 11:08 AM -0400 6/30/03, jpickering@creeksidenet.com wrote:
>>  >Re: multiple "redundant" SAs:
>>  >In order to support simultaneous rekey tie-breaking as currently
>>  >defined, one needs to be able to be able to determine
>>  >if the attempt to create a child is a rekey and if so, which SA is
>>  >being rekeyed. The only way to do this per current
>>  >version is to examine the traffic selectors which presumes
>>  no redundant SAs.
>>
>>  Whoops!
>>
>>  Any suggestions on how to avoid messing up the rekey heuristic and
>>  not negotiating the DiffServ values for SAs?
>
>We've already concluded that the DiffServ values are functionally
>opaque to the other side from a traffic classification standpoint.
>OTOH, I'm concerned that if we pass them across IKE, someone's going
>to try to use them in a way that s/he shouldn't.  So, let's go back
>to an old proposal from Radia:
>
>	So I'd propose one more field in the traffic
>	elector for "uniquifier". Alice can create
>	ultiple child-SAs to Bob with the same
>	raffic selectors, as long as they have different
>	niquifiers.
>
>The uniquifier could be some sort of internal index or pointer;
>even a simple counter works.
>
>Another possibility if rekeying is really the only problem,
>would be to pass the other side's SPI as the "uniquifier" indicating
>exactly which SA is being rekeyed.  If this is always done, the
>rekeying "heuristic" turns into a rule - when the "old SPI"
>is passed, this is a rekey of that SPI, otherwise it's a new
>SA creation.  A minor downside is that if one fails to pass the
>"old SPI" on rekey, SAs that are no longer useful may accumulate
>on the peer, but the peer is already free to garbage collect SAs,
>and these will be good candidates as they will carry no further
>traffic.
>
>Thanks,
>--David

As you note, we already SPIs as locally unique ways to refer to SAs 
between consenting IPsec implementations.  I don't see a need to add 
an arbitrary, new selector for address this problem.

Steve

Prev by Date: Re: IKEv2 selectors for IPsec?
Next by Date: Re: IKE negotiation for fragmentation controls in IPsec
Prev by thread: Re: QoS selectors (was LAST CALL: IKE)
Next by thread: Re: IKEv2 selectors for IPsec?
Index(es):
- Date
- Thread