[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interoperability issue with 'lifekbytes'

To: Arun Kumar <arun_mc@intotoinc.com>
Subject: Re: interoperability issue with 'lifekbytes'
From: Ravi <ravivsn@roc.co.in>
Date: Wed, 02 Jul 2003 14:35:29 +0530
CC: ipsec@lists.tislabs.com
References: <Pine.LNX.4.44.0307011204450.22363-100000@intotoinc.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02

Hi Arun,

If 'lifekbytes' is expected and if this attribute does not come from the 
peer,I feel, the SA coming from peer should be rejected.
If 'lifekbytes' attribute comes in, but it is not expected, then it 
seems OK to accept 'lifekbytes' as it is more secure. But, at any time,
we don't know which node initiates the quick mode negotiation. If one 
side negotiates, it succeeds and if other negotiates it does not
succeed. So, it is better to have same configuration on both ends and 
deny the negotiation if it does not match the local configuration.
Thereby, there is no confusion.  Note that this configuration is
supposed to be agreed upon by both administrators of the SGs and along
with other parameters, this also can be agreed upon and configure same
thing on both ends. I feel, there is no problem in expecting the 
configuration to be same on both ends.
Regards
Ravi

Arun Kumar wrote:
> Hi,
> 
>  Sorry, my previous message format was bad. I'm resending it with proper 
> format.
> 
>  We are frequently encountering interoperability problems
>   with 'lifekbytes' configuration. Different vendors accept/implement
>   different ways. Having consistent method mentioned in the
>   standards will help eliminating/reducing the mis-interpretation.
>   Any feedback on following interoperability issue from WG
>   is appreciated.
>  
>    Security Gateway1--------------------Security Gateway2
>  
>   Admin at SG1 configured the IPSEC security policy 
>   indicating that 'lifekbytes' is not expected. 
>   SG2 sends QM SA payload with lifekbytes attribute with some
>   value. Should SG1 accept the SA payload OR should it deny
>   the SA payload.
>  
>   We feel that, since local admin made a choice that lifekbytes
>   is not required/expected, it should deny the SA negotiation.
>   What is the right thing to do? Also, we feel that by having
>   consistent configuration on both ends will eliminate the 
>   confusion. 
>  
>   Related question:
>   What happens when SG1 starts the quick mode?
>   Should SG2 deny the negotiation as it expected lifekbytes 
>   attribute, but there is no 'lifekbytes' attribute coming from SG1?
>  
>   We feel that, for both cases to work, it is better to have
>   same configuration on both ends so that it works consistently
>   and give choice to the administrators.
>  
> Thanks in advance,
> Arun
> 

-- 

The views presented in this mail are completely mine. The company is not
responsible for whatsoever.
------------------------------------------------------------------------
Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184

ROC home page <http://www.roc.co.in>

References:
- interoperability issue with 'lifekbytes'
  - From: Arun Kumar <arun_mc@intotoinc.com>

Prev by Date: RE: IKEv2: active user identity protection
Next by Date: I-D ACTION:draft-ietf-ipsec-pki-profile-03.txt
Prev by thread: interoperability issue with 'lifekbytes'
Next by thread: Re: interoperability issue with 'lifekbytes'
Index(es):
- Date
- Thread