[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: interoperability issue with 'lifekbytes'



-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Arun" == Arun Kumar <arun_mc@intotoinc.com> writes:
    Arun>  We are frequently encountering interoperability problems
    Arun>   with 'lifekbytes' configuration. Different vendors accept/implement
    Arun>   different ways. Having consistent method mentioned in the
    Arun>   standards will help eliminating/reducing the mis-interpretation.
    Arun>   Any feedback on following interoperability issue from WG
    Arun>   is appreciated.
 
    Arun>    Security Gateway1--------------------Security Gateway2
 
    Arun>   Admin at SG1 configured the IPSEC security policy 
    Arun>   indicating that 'lifekbytes' is not expected. 
    Arun>   SG2 sends QM SA payload with lifekbytes attribute with some
    Arun>   value. Should SG1 accept the SA payload OR should it deny
    Arun>   the SA payload.

  The general feeling is that lifetime values are advice only.

  SG2 doesn't like what SG1 proposes (usually, a value too large), then
it should just rekey the SA more often. The advice only tells SG2 how long
it ought to keep the keys around, when the channel is otherwise idle.

    Arun>   We feel that, since local admin made a choice that lifekbytes
    Arun>   is not required/expected, it should deny the SA negotiation.

  I do not think that a lifekbytes of zero should be sent, but if received,
it should be essentially ignored. It is meaningless. It should be ignored,
since at most, it was advice only.

    Arun>   What is the right thing to do? Also, we feel that by having
    Arun>   consistent configuration on both ends will eliminate the 
    Arun>   confusion. 

  No, you can not assume *identical* configuration.
  a) this is why we have a protocol that has multiple options.

  b) this is often hard when multiple products are involved - they may 
     have compatible options, but not identical, and may not all offer
     the same knobs - or worse - they do, but name them differently.
     Hey, $LANG=en vs $LANG=cn would be enough to confuse the admins
     enough such that they can't even find the options!

  c) okay, so you get the configuration identical with great effort.
     Now you want to change it. 
     Do you turn off the entire enterprise VPN, fly someone around the
     world to reconfigure everything and then turn it back on?
     clearly, not. 
     So, you must deal with changes to the configuration as you evolve
     your settings, slowly.

    Arun>   Related question:
    Arun>   What happens when SG1 starts the quick mode?
    Arun>   Should SG2 deny the negotiation as it expected lifekbytes 
    Arun>   attribute, but there is no 'lifekbytes' attribute coming from SG1?

  No. 

    Arun>   We feel that, for both cases to work, it is better to have
    Arun>   same configuration on both ends so that it works consistently
    Arun>   and give choice to the administrators.
 
    Arun> Thanks in advance,
    Arun> Arun

]                   At IETF57 in Wien, Austria                  |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] printk("Just another Debian GNU/Linux using, kernel hacking, security guy");[


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPxO/EoqHRg3pndX9AQF4xgQAraGF0R4rEejqH/w4BxY9zcdlJbX6jw6D
Tyn0H+NFhsexz0uuyqo//k9bWndPA73OxO91nRECzKunZBMZaKJOimCfO/OaagKM
gHn63NsEZpR8eW7T1eO6d+JpZC6hnmzhesxGjJ6RZnNgOd0ybSCGfCSOoWI4CaqE
P0Aome2JPAQ=
=0bfo
-----END PGP SIGNATURE-----