[IPsec] Reauthentication extension for IKEv2
Martin Willi <martin@strongswan.org> Tue, 16 September 2008 07:17 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DF5328C120; Tue, 16 Sep 2008 00:17:40 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA8B028C120 for <ipsec@core3.amsl.com>; Tue, 16 Sep 2008 00:17:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hroOV5jPFPhg for <ipsec@core3.amsl.com>; Tue, 16 Sep 2008 00:17:38 -0700 (PDT)
Received: from strongswan.org (sidv0150.hsr.ch [152.96.52.150]) by core3.amsl.com (Postfix) with ESMTP id 8CC1328C0E8 for <ipsec@ietf.org>; Tue, 16 Sep 2008 00:17:37 -0700 (PDT)
Received: from [152.96.15.212] (unknown [152.96.15.212]) by strongswan.org (Postfix) with ESMTP id 14B31EFA2A for <ipsec@ietf.org>; Tue, 16 Sep 2008 09:17:31 +0200 (CEST)
Message-ID: <48CF5D7D.7070701@strongswan.org>
Date: Tue, 16 Sep 2008 09:17:17 +0200
From: Martin Willi <martin@strongswan.org>
User-Agent: Thunderbird 2.0.0.16 (X11/20080724)
MIME-Version: 1.0
To: ipsec@ietf.org
Subject: [IPsec] Reauthentication extension for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Hi, The reauthentication procedure for IKEv2 works as follows (from draft-ietf-ipsecme-ikev2bis-00 2.8.2): IKEv2 does not have any special support for reauthentication. Reauthentication is done by creating a new IKE_SA from scratch (using IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA notify payloads), creating new CHILD_SAs within the new IKE_SA (without REKEY_SA notify payloads), and finally deleting the old IKE_SA (which deletes the old CHILD_SAs as well). While this approach works and reuses existing protocol elements, it has some disadvantages. The problem is that we actually can't know that an incoming IKE_SA setup is used for reauthentication, as creating multiple identical IKE_SAs is perfectly feasible. 1. If a lot CHILD_SAs are established within the IKE_SA, this procedure needs a lot of exchanges to complete, increase load and reauth duration. During this stage, we also have multiple CHILD_SAs with the same traffic selectors. Defining priorities is difficult, as we don't know if the new IKE_SA is actually for reauthentication or not. 2. The server doesn't know that the new IKE_SA creation is used for reauthentication and can't assign the same INTERNAL_ADDRESS to the peer without risking an address conflict. This will result in an address change and will close established connections using that address. 3. Housekeeping and connection monitoring gets ways more complicated, as the new IKE_SA does not have any relation to the old one. Mainly because of 2., we have been forced to do the reauthentication procedure by closing the IKE_SA before establishing the new one. This will eliminate the address flicker, but introduces a connectivity gap of seconds. While there are workarounds to these problems, I don't see a way to implement reauthentication properly and reliable. Because of these problems I'm thinking about an extension to do the reauthentication within an established IKE_SA (think of the existing rekeying procedure, but with an additional AUTH/EAP exchange). What do you think about such an extension? Already considered something similar, or does your reauthentication procedure work hassle-free? I'm wondering if we are the only ones facing these problems or if such an extension would gain broader acceptance... Regards, Martin - strongSwan project _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Reauthentication extension for IKEv2 Martin Willi
- [IPsec] Reauthentication extension for IKEv2 Tero Kivinen
- Re: [IPsec] Reauthentication extension for IKEv2 Martin Willi
- Re: [IPsec] Reauthentication extension for IKEv2 Tero Kivinen
- Re: [IPsec] Reauthentication extension for IKEv2 David Wierbowski
- [IPsec] Reauthentication extension for IKEv2 David Wierbowski
- Re: [IPsec] Reauthentication extension for IKEv2 Yoav Nir
- Re: [IPsec] Reauthentication extension for IKEv2 Yoav Nir
- [IPsec] Reauthentication extension for IKEv2 Tero Kivinen
- Re: [IPsec] Reauthentication extension for IKEv2 Tero Kivinen
- Re: [IPsec] Reauthentication extension for IKEv2 Martin Willi
- Re: [IPsec] Reauthentication extension for IKEv2 Yoav Nir
- Re: [IPsec] Reauthentication extension for IKEv2 Pasi.Eronen
- Re: [IPsec] Reauthentication extension for IKEv2 Tero Kivinen
- Re: [IPsec] Reauthentication extension for IKEv2 Tero Kivinen
- Re: [IPsec] Reauthentication extension for IKEv2 Pasi.Eronen
- [IPsec] Reauthentication extension for IKEv2 Gary Hemminger
- Re: [IPsec] Reauthentication extension for IKEv2 Yoav Nir
- Re: [IPsec] Reauthentication extension for IKEv2 Gary Hemminger
- [IPsec] Identifying encrypted traffic (was: Reaut… Yaron Sheffer
- Re: [IPsec] Identifying encrypted traffic (was: R… Gary Hemminger
- Re: [IPsec] Identifying encrypted traffic (was: R… Yaron Sheffer
- Re: [IPsec] Identifying encrypted traffic (was: R… Grewal, Ken
- Re: [IPsec] Identifying encrypted traffic (was: R… Yaron Sheffer
- Re: [IPsec] Identifying encrypted traffic (was: R… Gary Hemminger
- Re: [IPsec] Identifying encrypted traffic (was: R… Gary Hemminger
- Re: [IPsec] Identifying encrypted traffic (was: R… Yaron Sheffer
- Re: [IPsec] Identifying encrypted traffic (was: R… Yoav Nir
- Re: [IPsec] Identifying encrypted traffic (was: R… Grewal, Ken
- Re: [IPsec] Identifying encrypted traffic (was: R… Grewal, Ken
- Re: [IPsec] Identifying encrypted traffic (was: R… Grewal, Ken
- Re: [IPsec] Identifying encrypted traffic (was: R… Gary Hemminger
- Re: [IPsec] Identifying encrypted traffic (was: R… Gary Hemminger
- Re: [IPsec] Identifying encrypted traffic (was: R… Yaron Sheffer
- Re: [IPsec] Identifying encrypted traffic (was: R… Gary Hemminger