On Apr 9, 2013, at 8:03 PM, Kanaga Kannappan <[email protected]<mailto:[email protected]>> wrote:
Hi All, How to handle "Initial Contact Notification" during simultaneous IKEv2 SA negotiation? The simplest answer is not to handle it. It makes sense that peers will do a simultaneous negotiation for rekeying an IPsec SA. Most gateways do this proactively, but only in response to traffic. So if both are configured to expire SAs after 1 hour, but renegotiate after 55 minutes, then if there's a packet when the SA is 56 minutes old, it could trigger a simultaneous re-negotiation. OTOH when initiating the first IKE SA, it's not likely to start from both sides at the same time. You could probably reproduce such a case in the lab. What you're supposed to do when presented with an Initial Contact, is delete all "other" IKE SAs.My code only erases established SAs (not things that are in the middle of the initial exchanges) so if they're simultaneous either both will be set up or only one based on the tie-breaker logic in RFC 5996. But suppose your code is different. The worst case is that each side has deleted the IKE SA that it has initiated, and both gateways end up with one IKE SA each (different SAs). If your code has a recovery mechanism such as RFC 6290, that issue gets resolved quickly. I don't think this edge case is something to worry about. Yoav
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
