Re: why is SA lifetime kilobyte limit disabled in racoon?

To: <hsuenaga%iij.ad.jp@localhost>
Subject: Re: why is SA lifetime kilobyte limit disabled in racoon?
From: Matthias Drochner <M.Drochner%fz-juelich.de@localhost>
Date: Mon, 23 May 2011 13:58:34 +0200

hsuenaga%iij.ad.jp@localhost said:
> The two rekeying session makes two pair of IPsec-SAs. racoon can do
> this, and IPsec implementations (kernel side) do one of following:
>
>  a. Use oldest IPsec-SA to send and keep all IPsec-SAs to
> receive(KAME)
>  b. Use newest IPsec-SA to send and keep all IPsec-SAs to receive(Fast
> IPsec)
>  c. Use newest IPsec-SA to send/receive and purge older IPsec-SAs

Thanks that you mention that problem -- this was my other question
on the mailing list.

> Of cause, c. is bad behavior, but small implementations(kernel side)
> may handle only one sessions and one key pair at a time.

I think that even if we avoid assumptions about things not clearly
stated in the standards, we can safely assume that an implementation
will not fall back to an old key once it started using a new one
for sending. This means one could safely remove old SAs after one
receives packets with the new SPI. Well, only authenticated ones
should count... This is not easily done in BSD due to kernel /
userland abstractions, but feasible for embedded systems.

> Today, most implementations select b.

The problem with b is that the phase 2 initiator can't be sure that
the other side has the receive SA installed. The third message
of the 3-way handshake might be lost. I think there should be
a delay in the order of retry_timeout x retry_count before
the new sending SA is used. After that delay, either the
responder side got the third message, or the phase 2 negotiation
is declared failed anyway.
The responder can use the SA immediately. But now we have
an abstraction problem again: The kernel doesn't know about
IKE in general and initiator/responder roles in particular.
So the IKE daemon would have to implement the delay.

> But racoon is old product,
> so it doesn't catch recent trends up.

It is still somewhat maintained, and since there is not much
choice, we shouldn't let it rot...

best regards
Matthias



------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDirig Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

Besuchen Sie uns auf unserem neuen Webauftritt unter www.fz-juelich.de

References:
- why is SA lifetime kilobyte limit disabled in racoon?
  - From: Matthias Drochner
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: hsuenaga
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: Greg Troxel
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: Matthias Drochner
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: Greg Troxel
- Re: why is SA lifetime kilobyte limit disabled in racoon?
  - From: hsuenaga

Prev by Date: Re: why is SA lifetime kilobyte limit disabled in racoon?
Next by Date: Re: why is SA lifetime kilobyte limit disabled in racoon?
Previous by Thread: Re: why is SA lifetime kilobyte limit disabled in racoon?
Next by Thread: Re: why is SA lifetime kilobyte limit disabled in racoon?
Indexes:

Home | Main Index | Thread Index | Old Index