On Aug 25, 2013, at 9:45 AM, Yaron Sheffer <yaronf.i...@gmail.com> wrote:

> Hi Yoav,
> 
> I started by reading -01, then went back to -00. And I think the two can be 
> merged to create a better solution.
> 
> Including the notification as soon as the peers know they want a handover is 
> cleaner. So IKE_AUTH (of the new SA) is better than DELETE, and in fact 
> IKE_SA_INIT would be even more useful because then you can define that all 
> such IKE SAs are implicitly childless, and avoid the need for the RFC 6023 
> notification.
> 
> CAFR -01 says a peer is allowed to hand over the Child SAs if it successfully 
> authenticates to the other peer and has the same authenticated identity. 
> Seems to me this is symmetric, i.e. it doesn't matter if the exchange is run 
> over the "old" or the "new" IKE SA. And so this could apply just as well to 
> -00, and the POP stuff is not needed.
> 
> I'm not sure about the race discussion in -00, because it only applies in 
> failure cases. Can't an attacker "swallow" a few DELETE messages or their 
> responses and cause a similar database mismatch?

I hope they can't. Informationals with DELETEs are just like any other IKEv2 
exchange. If at active attacker swallows DELETEs or their responses, eventually 
at least one side loses the IKE SA. 

But with regular initial IKE, there is an asymmetry. The Responder verifies the 
IKE_AUTH request, generates the Response, sends it, and believes that 
everything is just fine. Then the Initiator gets the IKE_AUTH response, and 
decides that something is wrong. Maybe the certificate has just expired, or the 
OCSP server is unreachable, or the new certificate does not have the proper 
extended key usage. So we have an asymmetry, where the Responder believes that 
IKE_AUTH succeeded, while the Initiator believes that it failed. The Initiator 
quickly rectifies this with a DELETE, but that takes some time (milliseconds, 
but still - time). 

So if we tie some action on the part of both parties to the IKE_AUTH success, 
we get cases where the Responder performs the action, while the Initiator does 
not. In this case, the Responder transfers the child SAs to the new IKE SA, and 
the Initiator doesn't. The subsequent DELETE for the new IKE SA sent by the 
Initiator deletes all those Child SAs on the Responder, while they remain alive 
and active on the Initiator. You could use some heuristic, like if the DELETE 
comes within x seconds of the IKE_AUTH, you transfer the child SAs back. But 
that is some weird code that we should not require people to make. 

Making the transfer follow the IKE_AUTH makes it all cleaner. Whether it's done 
with the old or new IKE SA depends on whether you are worried about childless 
IKE SAs kidnapping the children of other IKE SAs (sorry, couldn't resist). We 
are not likely to require sameness of IP address, and I am worried about the 
reliability of code comparing to IKE SAs for sameness of authenticated 
identity. All L2TP over IPsec clients tend to have the same identity (with user 
authentication being done at the PPP layer). Do we allow them to claim each 
other's child SAs? I think not, and then if we take the "pull" approach - using 
the new IKE SA - we need some PoP. With a "push" approach - using the old IKE 
SA - we don't.

> Also note that the notification syntax is in conflict with both RFC 5996 and 
> RFC 4306. RFC 5996 removes the option of Protocol ID=1, while RFC 4306 
> assumes that we are talking about the *current* IKE SA, and so mandates that 
> the SPI field should be empty in this case. Practically speaking, we will 
> have to fix 5996 before this can document move forward. Luckily we're doing 
> just that with Tero's bis draft.

Good timing!

Yoav
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to