Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr

2009-04-21 Thread raj singh
Hi Matt, Let me re-phrase my questions: 1. If there is no TSi and TSr payload in IKE_AUTH exchange, whether we go ahead and process IKE_AUTH payloads or not ? 2. Appendix C: IKE_AUTH: Error in CHILD SA creation. It will come into picture if we process the packet. If we go ahead and process the

Re: [IPsec] Issue #98: 1 or two round trips for resumption

2009-04-21 Thread Lakshminath Dondeti
On 4/21/2009 5:23 PM, Tero Kivinen wrote: I still do not think making the 1 RT protocol to 2 RT protocol in that case would really cause any noticeable effect to the actual handover. Hi Tero, How do you know this? I ask because, I would like to use those arguments to tell people who are

Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr

2009-04-21 Thread Matthew Cini Sarreo
Hello Raj, According to Appendix C, for IKE_AUTH: error in Child SA <-- IDr, [CERT+], creationAUTH, N(error), [V+] So sending an authenticated and encrypted INVALID_SYNTAX notification over the IKE_SA that has ju

Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr

2009-04-21 Thread raj singh
Hi Matt, There is possibility of just IKEv2 SA gets established during IKE_AUTH and IPsec SA getting established via CREATE_CHILD_SA. The question is what behavior RFC mandate ? What you think ? Thanks for your reply. Regards, Raj On Wed, Apr 22, 2009 at 11:40 AM, Matthew Cini Sarreo wrote: >

Re: [IPsec] [IKEv2] IKE_AUTH without TSi, TSr

2009-04-21 Thread Matthew Cini Sarreo
In IKE_AUTH TSi and TSr are mandatory, so it is not possible to omit them from an authentication exchange message, as there would be no way for the SA to know what traffic should be forwarded through the SA. It seems that the correct error message would be INVALID_SYNTAX. This would require the me

[IPsec] [IKEv2] IKE_AUTH without TSi, TSr

2009-04-21 Thread raj singh
Hi Group, What is the expected behavior if as a responder we do not receive TSi and TSr in IKE_AUTH exchange ? Shall we go ahead and establish IKEv2 SA ? If yes, shall we send out TSi and TSr ? Or we should reject the packet ? If we reject the packet during packet validation with doing ID and AUTH

Re: [IPsec] Issue #98: 1 or two round trips for resumption

2009-04-21 Thread Narayanan, Vidya
> > From the ipsecme charter: > > Failover from one gateway to another, mechanisms for detecting > when a session should be resumed, and specifying communication > mechanisms between gateways are beyond the scope of this work > item. > > Thus failover from one gateway to an

[IPsec] Issue #102: What to do about {{ }} notation in ikev2bis

2009-04-21 Thread Paul Hoffman
Since its first draft, the IKEv2 bis document has had flags for where new text came from RFC 4718, such as "{{ Clarif-6.1 }}" and "{{ Clarif-4.2}}". Using a related notation, we have also marked where text that originally existed in the top-heavy listing of notifications has been moved into the

Re: [IPsec] Issue #98: 1 or two round trips for resumption

2009-04-21 Thread Tero Kivinen
Yaron Sheffer writes: > However, given that normal NAT detection happens during IKE_SA_INIT, can you > clarify why this would work better if we had a 2 RT protocol? I think this should explain it: > > exchange too. Allowing IP-addresses change means that the network > > where the packets can come

[IPsec] Multiple payloads of same type

2009-04-21 Thread Tero Kivinen
Kalyani Garigipati (kagarigi) writes: > Please validate if the following is true. > > Apart form Notify, DELETE, Vendor ID, CERT, CERTREQ, PROPOSAL, TRANFORM, > TSi and TSr all other payloads like SA1, SA2, IDi, IDr, KE, NONCE, > DELETE, AUTH, CONFIG, ENCRYPT should not be sent as multiple payload

Re: [IPsec] Some comments to draft-ietf-ipsecme-ikev2-resumption-02.txt

2009-04-21 Thread Yaron Sheffer
Hi Tero, I have opened Issue #101 for your comments (being too lazy to process them into multiple issues), and we will process them in batch mode. Thanks, Yaron > -Original Message- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of > Tero Kivinen > Sent:

[IPsec] Some comments to draft-ietf-ipsecme-ikev2-resumption-02.txt

2009-04-21 Thread Tero Kivinen
During the other discussion I read the draft-ietf-ipsecme-ikev2-resumption-02 through and here are some more generic comments to it: --- In Section 3 we present 2 use cases, and then after figure 1 start talking about "In this scenario..." and I think that refers to first use scenario described i

Re: [IPsec] Issue #98: 1 or two round trips for resumption

2009-04-21 Thread Yaron Sheffer
Hi Tero, To answer the last part of your mail, we always intended address change (and presumably, NAT detection status change) to be supported. This should be clarified in the document, and I have opened Issue #100 for this. However, given that normal NAT detection happens during IKE_SA_INIT, can

[IPsec] Multiple payloads of same type

2009-04-21 Thread Kalyani Garigipati (kagarigi)
Hi, Please validate if the following is true. Apart form Notify, DELETE, Vendor ID, CERT, CERTREQ, PROPOSAL, TRANFORM, TSi and TSr all other payloads like SA1, SA2, IDi, IDr, KE, NONCE, DELETE, AUTH, CONFIG, ENCRYPT should not be sent as multiple payloads. Like if we get packet as HDR, SA1, SA1

Re: [IPsec] Issue #98: 1 or two round trips for resumption

2009-04-21 Thread Tero Kivinen
Narayanan, Vidya writes: > Hi Yaron, > We are going back to revisiting consensus here and re-explaining the > use cases and I'd certainly like to keep this to as minimum a > revisit as possible. The use cases go back to what has been > documented in the problem statement we published a while back

Re: [IPsec] WG Last Call: draft-ietf-ipsecme-ikev2-redirect-08

2009-04-21 Thread Yoav Nir
So are we working with the assumption that the gateway (or the AAA server) can always authenticate any user that connects? > -Original Message- > From: Yaron Sheffer > Sent: Monday, April 20, 2009 10:43 AM > To: Yoav Nir; Vijay Devarapalli > Cc: IPsecme WG > Subject: RE: [IPsec] WG Last

Re: [IPsec] Issue #63: Position of arbitrary notify payloads

2009-04-21 Thread Tero Kivinen
Paul Hoffman writes: > At 3:55 PM +0300 4/3/09, Tero Kivinen wrote: > >Btw, is there any reason why [V+] is not listed in the IKE_AUTH > >excghange with EAP in the intermediate EAP messages and final AUTH > >request from the initiator? > > We could add it, but I think that would surprise some impl