Hi Keith,
thanks for exploring this important issue. Here are a few preliminary
comments:
- The intro is short on motivation: what *exactly* happens today, and
why it is a problem that needs to be solved: bandwidth? CPU? Memory?
Complexity?
- There's a long treatment of simultaneous reauth. I'm not saying it is
unimportant, but it's certainly more important to spell out *exactly
when* the new SA inherits the old one's baggage (immediately when the
IKE_AUTH completes successfully, I guess); and very important to say
what happens in error cases, for example if authentication fails.
Thanks,
Yaron
On 09/28/2010 10:09 PM, Keith Welter wrote:
After writing this draft
(http://www.ietf.org/id/draft-welter-ipsecme-ikev2-reauth-00.txt), I
re-discovered an old thread about the same issue. The post that started
the thread was from Martin Willi on Tue, 16 Sep 2008 with subject
"[IPsec] Reauthentication extension for IKEv2"
(http://www.ietf.org/mail-archive/web/ipsec/current/msg03106.html). The
discussion in the thread wandered quite a bit, so much so that it was
renamed "Identifying encrypted traffic" midstream. Following all the
posts on the thread, it appears to me that Martin's original question of
whether or not there should be a reauthentication extension for IKEv2
was forgotten and never answered (certainly rough consensus was not
reached). I named my draft to match the subject of Martin's original
post and I hope to use the draft to re-invigorate the discussion on this
topic. I would appreciate comments from the subscribers of this list as
to whether or not a reauthentication extension for IKEv2 is worth doing
and of course I would also appreciate comments on the draft itself.
Thanks,
Keith Welter
IBM z/OS Communications Server Developer
> A new version of I-D, draft-welter-ipsecme-ikev2-reauth-00.txt has
> been successfully submitted by Keith Welter and posted to the IETF
repository.
>
> Filename: draft-welter-ipsecme-ikev2-reauth
> Revision: 00
> Title: Reauthentication Extension for IKEv2
> Creation_date: 2010-09-28
> WG ID: Independent Submission
> Number_of_pages: 10
>
> Abstract:
> This document extends the Internet Key Exchange (IKEv2) Protocol
> document [IKEv2]. IKEv2 reauthentication does not scale well when an
> IKE SA has multiple Child SAs because each Child SA of the IKE SA to
> be reauthenticated must be renegotiated. In addition,
> reauthentication is susceptible to the same kinds of exchange
> collisions as those that may occur during rekeying. This document
> describes a mechanism to detect reauthentication and avoid
> renegotiating the Child SAs. In addition, this document describes
> proper handling of exchange collisions that may occur during
> reauthentication.
>
>
>
> The IETF Secretariat.
>
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
