Hello,
In case you are interested in detailed procedures of the 3GPP specification, I
have copied them at the end of this mail.
> > I am confused. Is this a notify of the server to the client, or a
> > configuration item by the server instructing client behaviour?
>
> It is notify from the server to client. I.e. client sends empty
> TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in the CFG_REQUEST and
> server will send value in seconds inside its
> TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in CFG_REPLY. I.e. the server asks client
> to use following livenss timeout period.
3GPP spec expects that if the client (User Equipment) supports the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK configuration attribute, then the client
(User Equipment) *enforces* the timer value indicated in the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK configuration attribute in CFG_REPLY sent by
server (Evolved Packet Data Gateway).
I.e. it is an intruction, not a suggestion.
It is supposed to work as follows:
first request --> IDi,
[N(INITIAL_CONTACT)],
[[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+],
[IDr],
[CP(CFG_REQUEST (*TIMEOUT_PERIOD_FOR_LIVENESS_CHECK
with empty value*) )],
[N(IPCOMP_SUPPORTED)+],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, TSi, TSr,
[V+][N+]
first response <-- IDr, [CERT+], AUTH,
EAP,
[V+][N+]
/ --> EAP
repeat 1..N times |
\ <-- EAP
last request --> AUTH
last response <-- AUTH,
[CP(CFG_REPLY(*TIMEOUT_PERIOD_FOR_LIVENESS_CHECK
with a value selected by server*))],
[N(IPCOMP_SUPPORTED)],
[N(USE_TRANSPORT_MODE)],
[N(ESP_TFC_PADDING_NOT_SUPPORTED)],
[N(NON_FIRST_FRAGMENTS_ALSO)],
SA, TSi, TSr,
[N(ADDITIONAL_TS_POSSIBLE)],
[V+][N+]
If the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK with a value selected by server is
received as shown above, the client (user equipment) must perform the liveness
check procedure with the timeout indicated by the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK configuration attribute.
Detailed TS 24.302 client procedures related to the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute are:
-------------
7.2.2 Tunnel establishment
7.2.2.1 Tunnel establishment accepted by the network
.....
The UE may support the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified
in subclause 8.2.4.2. If the UE supports the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK
attribute, the UE shall include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute
indicating support of receiving timeout period for liveness check in the
CFG_REQUEST configuration payload. If the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK
attribute as specified in subclause 8.2.4.2 indicating the timeout period for
the liveness check is included in the CFG_REPLY configuration payload or if the
UE has a pre-configured timeout period, the UE shall perform the tunnel
liveness checks as described in subclause 7.2.2A.
NOTE: The timeout period for liveness check is pre-configured in the UE in
implementation-specific way.
.....
7.2.2A Liveness check
If the UE supports the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified
in subclause 8.2.4.2 and the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as
specified in subclause 8.2.4.2 was included in the CFG_REPLY configuration
payload received in subclause 7.2.2 the UE shall set the timeout period for the
liveness check to the value of the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute.
If the UE does not support the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as
specified in subclause 8.2.4.2 or the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK
attribute as specified in subclause 8.2.4.2 was not included in the CFG_REPLY
configuration payload received in subclause 7.2.2 then the UE shall use the
pre-configured value of the timeout period for liveness check.
NOTE: The timeout period is pre-configured in the UE in
implementation-specific way.
If the UE has not received any cryptographically protected IKEv2 or IPSec
message for the duration of the timeout period for liveness check, the UE shall
send an INFORMATIONAL request with no payloads as per IETF RFC 5996 [28]. If an
INFORMATIONAL response is not received, the UE shall deem the IKEv2 security
association to have failed.
-------------
Detailed TS 24.302 server procedures related to the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute are:
-------------
The ePDG shall proceed with IPsec tunnel setup completion and shall relay in
the IKEv2 Configuration Payload (CFG_REPLY) of the final IKE_AUTH response
message:
...
- The ePDG may include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as
specified in subclause 8.2.4.2 indicating the timeout period for liveness check
in the CFG_REPLY configuration payload. Presence of the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute in the IKE_AUTH request can be used
as input for decision on whether to include the
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute.
...
-------------
Kind regards
Ivo Sedlacek
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
