-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nico Williams Sent: Saturday, January 21, 2012 3:10 AM To: Prashant Batra (prbatra) Cc: [email protected] Subject: Re: [IPsec] query related to rekey
On Fri, Jan 20, 2012 at 3:10 PM, Prashant Batra (prbatra) <[email protected]> wrote: > > Clearly some interlocking here would be nice, otherwise there will be > > a race and high likelihood of dropped packets, with ensuing pain at > > higher layers. IMO the CREATE_CHILD_SA reply indicates that the peer > > is ready to receive on that SA, but the local node may not be able to > > do so until the CREATE_CHILD_SA reply is processed, so the peer should > > NOT send on the new SA until it sees a DELETE of the old child SA. > > [Prashant] That's, from the responder side, but it may happen that the > node initiating IKE_REKEY wants to initiate CHILD_SA_REKEY > after sending IKE_REKEY_REQUEST as childsa is expired. So, it has to do > it on old IKE_SA as he has not received the response. > So is this case correct? I described both sides. Again: the initiator should use the new SA as soon as the responder rekey reply is processed by the initiator, while the responder should use the old SA until the initiator deletes it. [Prashant] Yes, that should be fine. Obviously, if the old SA expires, well, the responder must use the new SA. So initiate rekeys such that there's enough time to complete the rekey. [Prashant] Still, one case if ikesa and childsa expire at the same time, then assume a node initiates ikesa-rekey, and wants to initiate childsa-rekey also, then should it wait for the response of ikesa-rekey to come and then initiate chilsa-rekey on the new SA or initiate childsa-rekey on the old SA before processing the ikesa-rekey response. As for simultaneous re-keying, well, see section 2.8.1 of RFC5996. > [Prashant] So, what is an ideal implementation that should be followed. > I think, sticking to one standard, that's always send on the old SA > until you send DELETE is a good option. On the responder side, yes, subject to the caveats about SA expiration and simultaneous rekeying. On the initiator side you should send with the new SA as soon as you install it. Nico -- _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
