Re: [IPsec] IANA allocation of TIMEOUT_PERIOD_FOR_LIVENESS_CHECK

Thu, 25 Feb 2016 07:59:31 -0800 

Hello,



In case you are interested in detailed procedures of the 3GPP specification, I 
have copied them at the end of this mail.



> > I am confused. Is this a notify of the server to the client, or a

> > configuration item by the server instructing client behaviour?

>

> It is notify from the server to client. I.e. client sends empty 
> TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in the CFG_REQUEST and

> server will send value in seconds inside its 
> TIMEOUT_PERIOD_FOR_LIVENESS_CHECK in CFG_REPLY. I.e. the server asks client

> to use following livenss timeout period.



3GPP spec expects that if the client (User Equipment) supports the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK configuration attribute, then the client 
(User Equipment) *enforces* the timer value indicated in the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK configuration attribute in CFG_REPLY sent by 
server (Evolved Packet Data Gateway).



I.e. it is an intruction, not a suggestion.



It is supposed to work as follows:



   first request       --> IDi,

                           [N(INITIAL_CONTACT)],

                           [[N(HTTP_CERT_LOOKUP_SUPPORTED)], CERTREQ+],

                           [IDr],

                           [CP(CFG_REQUEST (*TIMEOUT_PERIOD_FOR_LIVENESS_CHECK 
with empty value*) )],

                           [N(IPCOMP_SUPPORTED)+],

                           [N(USE_TRANSPORT_MODE)],

                           [N(ESP_TFC_PADDING_NOT_SUPPORTED)],

                           [N(NON_FIRST_FRAGMENTS_ALSO)],

                           SA, TSi, TSr,

                           [V+][N+]



   first response      <-- IDr, [CERT+], AUTH,

                           EAP,

                           [V+][N+]



                     / --> EAP

   repeat 1..N times |

                     \ <-- EAP



   last request        --> AUTH



   last response       <-- AUTH,

                           [CP(CFG_REPLY(*TIMEOUT_PERIOD_FOR_LIVENESS_CHECK 
with a value selected by server*))],

                           [N(IPCOMP_SUPPORTED)],

                           [N(USE_TRANSPORT_MODE)],

                           [N(ESP_TFC_PADDING_NOT_SUPPORTED)],

                           [N(NON_FIRST_FRAGMENTS_ALSO)],

                           SA, TSi, TSr,

                           [N(ADDITIONAL_TS_POSSIBLE)],

                           [V+][N+]





If the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK with a value selected by server is 
received as shown above, the client (user equipment) must perform the liveness 
check procedure with the timeout indicated by the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK configuration attribute.





Detailed TS 24.302 client procedures related to the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute are:

-------------

7.2.2       Tunnel establishment
7.2.2.1 Tunnel establishment accepted by the network
.....
The UE may support the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified 
in subclause 8.2.4.2. If the UE supports the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK 
attribute, the UE shall include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute 
indicating support of receiving timeout period for liveness check in the 
CFG_REQUEST configuration payload. If the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK 
attribute as specified in subclause 8.2.4.2 indicating the timeout period for 
the liveness check is included in the CFG_REPLY configuration payload or if the 
UE has a pre-configured timeout period, the UE shall perform the tunnel 
liveness checks as described in subclause 7.2.2A.

NOTE:      The timeout period for liveness check is pre-configured in the UE in 
implementation-specific way.
.....
7.2.2A    Liveness check
If the UE supports the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as specified 
in subclause 8.2.4.2 and the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as 
specified in subclause 8.2.4.2 was included in the CFG_REPLY configuration 
payload received in subclause 7.2.2 the UE shall set the timeout period for the 
liveness check to the value of the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute.
If the UE does not support the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as 
specified in subclause 8.2.4.2 or the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK 
attribute as specified in subclause 8.2.4.2 was not included in the CFG_REPLY 
configuration payload received in subclause 7.2.2 then the UE shall use the 
pre-configured value of the timeout period for liveness check.

NOTE:      The timeout period is pre-configured in the UE in 
implementation-specific way.
If the UE has not received any cryptographically protected IKEv2 or IPSec 
message for the duration of the timeout period for liveness check, the UE shall 
send an INFORMATIONAL request with no payloads as per IETF RFC 5996 [28]. If an 
INFORMATIONAL response is not received, the UE shall deem the IKEv2 security 
association to have failed.

-------------



Detailed TS 24.302 server procedures related to the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute are:

-------------

The ePDG shall proceed with IPsec tunnel setup completion and shall relay in 
the IKEv2 Configuration Payload (CFG_REPLY) of the final IKE_AUTH response 
message:

...

-     The ePDG may include the TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute as 
specified in subclause 8.2.4.2 indicating the timeout period for liveness check 
in the CFG_REPLY configuration payload. Presence of the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute in the IKE_AUTH request can be used 
as input for decision on whether to include the 
TIMEOUT_PERIOD_FOR_LIVENESS_CHECK attribute.

...

-------------





Kind regards



Ivo Sedlacek

_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to