Re: Question about Version Numbers

[Radia Perlman <Radia.Perlman@sun.com>]

Fair enough Bill (see his concern below).

How about instead of Alice completely ignoring the "I only speak n",
having Alice continue with n+1 but also do n. That way the worst the attacker can
do is force you to do two connections, and then once n+1 comes up, you
can drop the version n SA.

This also doesn't require a change to the protocol.

Radia

----- Original Message -----
From: Bill Sommerfeld <sommerfeld@east.sun.com>
Date: Friday, April 9, 2004 4:18 pm
Subject: Re: Question about Version Numbers

> > d) have Alice remember that Bob can talk n+1, and refuse to believe
> > an unauthenticated notification telling her otherwise
> >
> > Note that d) is allowed by the current spec (wouldn't violate any
> > on-the-wire messages). So I think we should do that, which doesn't
> > require changing the spec.  Perhaps this will motivate me to revive
> > the tutorial spec and mention that in an implementation tip.
> 
> Actually, I'd like to discourage this particular strategy -- it makes
> it extremely difficult to cleanly back out of a failed upgrade.
> 
> There's a common OS/firmware upgrade strategy involving the use of
> multiple OS images -- you can update a standby image, activate the
> standby image and reboot, and then, because you still have the
> original image around, you can (relatively) easily fall back to a
> known working configuration if everything didn't work as anticipated.
> 
> The reason for falling back to the previous version may have nothing
> to do with IKE/IPsec -- the new IKE version may just be along for the
> ride in the new configuration.
> 
> With a "once I've seen you speak n+1, I refuse to talk version n to
> you" strategy, I now have to track down all the nodes that this system
> spoke to during this interval and apply percussive maintainance -- and
> I may not have the authority to use the necessary hammers myself.
> 
>                                	- Bill
>