Re: [IPsec] Reopening issue #12

Tue, 05 May 2009 06:55:23 -0700 

On Tue, May 05, 2009 at 04:01:19PM +0300, Tero Kivinen wrote:

<SNIP!>

> I do not really have strong opinion which way to go, but we either
> needs to make sure there is the triggering packet traffic selectors
> (which might be problematic if SA was rekeyed because of time) and the
> rekey can narrow down traffic selectors. Or we assume that narrowing
> case cannot happen, as the SAs were already deleted before they were
> rekeyed in such situations, and we can say that traffic selectors MUST
> NOT narrow down.

Let's assume the worst-case behavior and see what happens:

        - An SA requires renewal due to time (e.g. a PF_KEY *SOFT lifetime*
          expiration), and it does not contain original-triggering-packet
          information.  So an initiator just sends the selectors.  Let's say
          it's some sort of remote-port-only protection:

                TSi = 0.0.0.0-255.255.255.255, proto any, port any
                TSr = 0.0.0.0-255.255.255.255, proto TCP, port 2112

        - If the existing SA selector set matches or is a subset of the
          peer's SPD TS set, life is good.

        - If the responder now has a more narrow set than the expiring SA's
          selectors, (say some remote-peer's traffic for port 2112 is now
          treated differently) the responder can send TS_UNACCEPTABLE to an
          overly broad set of TSes.

        - The rekey then fails, and then the initiator's SA actually
          disappears due to time (e.g. a PF_KEY *HARD lifetime* expiration).
          The initiator tries again with no SA available, and it is treated
          like a brand-new negotiation (where triggering packet information
          is more readily available).

If we go with "assume that the narrowing case cannot happen", even the above
worst-case behavior will continue to work, so long as the responder does the
right thing and rejects rekeying if the proposed traffic selectors are too
broad for its policy.

I would lean toward "assume that the narrowing case cannot happen", because
if the narrowing case DOES happen, then even if SAs are still lying around,
they can expire and negotiations can begin from scratch.  It is much harder
to include the triggering packet's data all of the time, because if an SA
shared by many potential triggering packets, a time-expired renegotiation
CANNOT happen.

Dan
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to