Hi Paul,
Thanks for the response.
Yes, we can retain the IPsec SAs on responder to avoid blackholing.
But in IKEv2, IKE & IPsec SAs are tied together and, in this case we would have
to create an exception, where IPsec SA would live without a parent IKE SA.
-kanaga.
________________________________
From: Paul Wouters <[email protected]>
To: Kanaga Kannappan <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Wednesday, April 10, 2013 12:30 AM
Subject: Re: [IPsec] IKEv2 initial contact handling?
On Tue, 9 Apr 2013, Kanaga Kannappan wrote:
> How to handle "Initial Contact Notification" during simultaneous IKEv2 SA
> negotiation?
>
> For example: A pair of gateways are initiating IKEv2 negotiation almost at
> the same time resulting in 2
> sets of IKEv2 SAs. In IKE_AUTH, both the boxes are sending "Initial Contact"
> notification and IKE_AUTH
> almost cross each other. On receiving the IC, if both try to delete the other
> IKE SAs on the box, we end
> up having different sets of IKE & child SAs on the both sides.
Initial contact is a bad feature all around. A responder should just
leave the old IPsec SA there to expire when its lifetime is reached.
Anything else causes issues. For example, with IKEv1 if you delete the
IPsec SA when you receive the payload, and then send back an IKE packet to
handle things like XAUTH authenticatin, there is a time when you have
no valid IPsec SA installed during a rekey, and thus tunnel downtime.
Especially if XAUTH requires a human punching in things from a token.
The only reason we (libreswan) implemented sending the payload (for IKEv1)
is that Cisco can refuse to replace an IPsec SA when it did not receive
Initial Contact, despite this new IKE having perfectly authenticated
without a problem. Libreswan fully ignores receiving an initial contact
payload. When it determines the peer ids match an existing IKE SA, it
will replace it, but again leave the IPsec SA to expire of old age, as
we cannot be sure when the other end switches from the old to the new
IPsec SA.
This all seems a remnant from configurations where the IDs are not
unique, commercially known as 'Group PSK' configurations, which were
always a bad idea as any member could pretend to be gateway and learn
all the remaining XAUTH credentials of all other users.
You should leave in the old IPsec SA despite the initial contact
payload. If your implementation allows you to keep track, you could
delete the old IPsec SA once you see traffic on the new IPsec SA.
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
