[IPsec] Issue #98: 1 or two round trips for resumption

Greetings again. Tracker issue #98 is the same as the message that Pasi sent to the mailing list last month; see . There is disagreement among the authors of the session resumption draft how to deal with this issue. One proposal

[IPsec] Issue #98: 1 or two round trips for resumption

Paul Hoffman writes: > Greetings again. Tracker issue #98 is the same as the message that > Pasi sent to the mailing list last month; see > . > There is disagreement among the authors of the session resumption > draft how to deal wit

Re: [IPsec] Issue #98: 1 or two round trips for resumption

gateway to decide. > -Original Message- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] > On Behalf Of Paul Hoffman > Sent: Wednesday, April 08, 2009 8:56 PM > To: IPsecme WG > Subject: [IPsec] Issue #98: 1 or two round trips for resumption > >

Re: [IPsec] Issue #98: 1 or two round trips for resumption

- From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of Paul Hoffman Sent: Wednesday, April 08, 2009 8:56 PM To: IPsecme WG Subject: [IPsec] Issue #98: 1 or two round trips for resumption Greetings again. Tracker issue #98 is the same as the message that Pasi sent to the

Re: [IPsec] Issue #98: 1 or two round trips for resumption

At 11:37 PM +0530 4/13/09, Lakshminath Dondeti wrote: >Are you saying that currently large installations use the 6-message version of >IKEv2? Are you saying that the threat model for 1-round-trip session resumption are the same as for IKEv2 without cookies? If not, could you explain the above c

Re: [IPsec] Issue #98: 1 or two round trips for resumption

I am saying they are similar (I wouldn't say they are the same, as they are two different protocols operating in different contexts). regards, Lakshminath On 4/14/2009 1:33 AM, Paul Hoffman wrote: At 11:37 PM +0530 4/13/09, Lakshminath Dondeti wrote: Are you saying that currently large instal

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Greetings again. Of the people who replied, two favored mandating two round trips, and one favored keeping the current one round trip. That (anemic) result, plus the comment that lead to this thread, leads me to say that we need to change draft-ietf-ipsecme-ikev2-resumption to require two roun

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Paul, Before the one roundtrip mechanism is deleted, could you summarize how the security issue that was raised is applicable under the threat model we work with? Let me help you out. It is not really applicable. Here is why: RFC 3552 says that "While it is not a requirement that any give

Re: [IPsec] Issue #98: 1 or two round trips for resumption

At 11:15 PM +0530 4/20/09, Lakshminath Dondeti wrote: >Before the one roundtrip mechanism is deleted, could you summarize how the >security issue that was raised is applicable under the threat model we work >with? No, I can summarize it after it is deleted, given that I deleted it in my last me

Re: [IPsec] Issue #98: 1 or two round trips for resumption

On 4/20/2009 11:50 PM, Paul Hoffman wrote: At 11:15 PM +0530 4/20/09, Lakshminath Dondeti wrote: Before the one roundtrip mechanism is deleted, could you summarize how the security issue that was raised is applicable under the threat model we work with? No, I can summarize it after it is delet

Re: [IPsec] Issue #98: 1 or two round trips for resumption

sec-boun...@ietf.org] On Behalf > Of Paul Hoffman > Sent: Wednesday, April 08, 2009 10:56 AM > To: IPsecme WG > Subject: [IPsec] Issue #98: 1 or two round trips for resumption > > Greetings again. Tracker issue #98 is the same as the message that Pasi > sent to the mailing list

Re: [IPsec] Issue #98: 1 or two round trips for resumption

day, April 20, 2009 22:52 > To: Paul Hoffman; IPsecme WG > Subject: Re: [IPsec] Issue #98: 1 or two round trips for resumption > > Considering that I didn't know what "now" meant and this message didn't > have a deadline, I hope my input is considered. I prefe

Re: [IPsec] Issue #98: 1 or two round trips for resumption

On Mon, Apr 20, 2009 at 11:20:55AM -0700, Paul Hoffman wrote: > At 11:15 PM +0530 4/20/09, Lakshminath Dondeti wrote: > >Before the one roundtrip mechanism is deleted, could you summarize > >how the security issue that was raised is applicable under the threat > >model we work with? > > No, I can

Re: [IPsec] Issue #98: 1 or two round trips for resumption

---Original Message- > From: Yaron Sheffer [mailto:yar...@checkpoint.com] > Sent: Monday, April 20, 2009 2:13 PM > To: Narayanan, Vidya; Paul Hoffman; IPsecme WG > Subject: RE: [IPsec] Issue #98: 1 or two round trips for resumption > > [As a coauthor of this draft:]

Re: [IPsec] Issue #98: 1 or two round trips for resumption

cme WG > Subject: Re: [IPsec] Issue #98: 1 or two round trips for resumption > > > > Greetings again. Of the people who replied, two favored mandating two > round trips, and one favored keeping the current one round trip. That > (anemic) result, plus the comment that lead

Re: [IPsec] Issue #98: 1 or two round trips for resumption

rg] On Behalf > Of Narayanan, Vidya > Sent: Monday, April 20, 2009 9:20 PM > To: Paul Hoffman; IPsecme WG > Subject: Re: [IPsec] Issue #98: 1 or two round trips for resumption > > Hi Paul, > For my clarification, could you please state who are the people on each > side of this

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Narayanan, Vidya writes: > Hi Yaron, > We are going back to revisiting consensus here and re-explaining the > use cases and I'd certainly like to keep this to as minimum a > revisit as possible. The use cases go back to what has been > documented in the problem statement we published a while back

Re: [IPsec] Issue #98: 1 or two round trips for resumption

ubject: Re: [IPsec] Issue #98: 1 or two round trips for resumption > > Narayanan, Vidya writes: > > Hi Yaron, > > We are going back to revisiting consensus here and re-explaining the > > use cases and I'd certainly like to keep this to as minimum a > > revisit

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Yaron Sheffer writes: > However, given that normal NAT detection happens during IKE_SA_INIT, can you > clarify why this would work better if we had a 2 RT protocol? I think this should explain it: > > exchange too. Allowing IP-addresses change means that the network > > where the packets can come

Re: [IPsec] Issue #98: 1 or two round trips for resumption

> > From the ipsecme charter: > > Failover from one gateway to another, mechanisms for detecting > when a session should be resumed, and specifying communication > mechanisms between gateways are beyond the scope of this work > item. > > Thus failover from one gateway to an

Re: [IPsec] Issue #98: 1 or two round trips for resumption

On 4/21/2009 5:23 PM, Tero Kivinen wrote: I still do not think making the 1 RT protocol to 2 RT protocol in that case would really cause any noticeable effect to the actual handover. Hi Tero, How do you know this? I ask because, I would like to use those arguments to tell people who are

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Narayanan, Vidya writes: > This is really just a terminology issue. Most of the use cases in > that document are applicable to resumption. In fact, the current > solution for resumption is based on what was produced as a result of > that problem statement (combined with Yaron's draft at the time)

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Lakshminath Dondeti writes: > > I still do not think making the 1 RT protocol to 2 RT protocol in that > > case would really cause any noticeable effect to the actual handover. > > How do you know this? Because 10ms-100ms is MUCH less than 10 seconds or so I usually see as DHCP delays on WLAN net

Re: [IPsec] Issue #98: 1 or two round trips for resumption

On 4/22/2009 4:11 PM, Tero Kivinen wrote: Lakshminath Dondeti writes: I still do not think making the 1 RT protocol to 2 RT protocol in that case would really cause any noticeable effect to the actual handover. How do you know this? Because 10ms-100ms is MUCH less than 10 se

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Lakshminath Dondeti writes: > When did MOBIKE come into picture? What are you saying Tero, that IPsec > session resumption is an alternative to MOBIKE and a slow one at that? Yes. Both solve the same problem that IKE SA recovers from the IP-address change, or switching from one network to anoth

Re: [IPsec] Issue #98: 1 or two round trips for resumption

On 4/23/2009 3:57 PM, Tero Kivinen wrote: Lakshminath Dondeti writes: When did MOBIKE come into picture? What are you saying Tero, that IPsec session resumption is an alternative to MOBIKE and a slow one at that? Yes. Both solve the same problem that IKE SA recovers from the IP-add

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Lakshminath Dondeti writes: > MOBIKE assumes that the other side has state, correct? Yes. > Session resumption has to do with providing that state. How are they > the same? In this example given (handover from cellular to wlan, without breaking existing phone call), I do not really see any poin

Re: [IPsec] Issue #98: 1 or two round trips for resumption

rom: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf > Of Tero Kivinen > Sent: Thursday, April 23, 2009 6:50 AM > To: Dondeti, Lakshminath > Cc: IPsecme WG; Paul Hoffman > Subject: Re: [IPsec] Issue #98: 1 or two round trips for resumption > > Lakshminath Dondet

Re: [IPsec] Issue #98: 1 or two round trips for resumption

On 4/23/2009 7:19 PM, Tero Kivinen wrote: Lakshminath Dondeti writes: MOBIKE assumes that the other side has state, correct? Yes. Session resumption has to do with providing that state. How are they the same? In this example given (handover from cellular to wlan, withou

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Narayanan, Vidya writes: > Somehow, we in the IETF think that we can make decisions for other > standards bodies, especially ones that do real deployments. I don't > know how we can say things like they should always use the IKE SA > whether they need it or not - there can be several reasons not t

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Lakshminath Dondeti writes: > > You should not really do break-before-make style of transitions on > > real-time environments, and if you keep the old connection while > > making the new one, then this whole issue is non-issue. > Good advice, but that consensus process is from elsewhere. Not every

Re: [IPsec] Issue #98: 1 or two round trips for resumption

> > It is impossible for IETF to think about those other standard bodies, > as we do not know what they plan to do. I have several times tried to > get people to explain me the use case for which this protocol has been > aimed for, so I could think whether some specific attack or > optimization is

Re: [IPsec] Issue #98: 1 or two round trips for resumption

[IPsec] Issue #98: 1 or two round trips for resumption > > > > > It is impossible for IETF to think about those other standard bodies, > > as we do not know what they plan to do. I have several times tried to > > get people to explain me the use case for which this pro

Re: [IPsec] Issue #98: 1 or two round trips for resumption

Narayanan, Vidya writes: > The requirement is quite simple and you just seem to ignore it or > provide unacceptable alternatives. The handoff latency must be good What handoff? We are talking about resumption, not handoff. I do not consider those same. Or then I understand completely wrong what