IETF Logo Mail Archive

[IPsec] Reauthentication extension for IKEv2

Martin Willi <martin@strongswan.org> Tue, 16 September 2008 07:17 UTC

Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DF5328C120; Tue, 16 Sep 2008 00:17:40 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA8B028C120 for <ipsec@core3.amsl.com>; Tue, 16 Sep 2008 00:17:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hroOV5jPFPhg for <ipsec@core3.amsl.com>; Tue, 16 Sep 2008 00:17:38 -0700 (PDT)
Received: from strongswan.org (sidv0150.hsr.ch [152.96.52.150]) by core3.amsl.com (Postfix) with ESMTP id 8CC1328C0E8 for <ipsec@ietf.org>; Tue, 16 Sep 2008 00:17:37 -0700 (PDT)
Received: from [152.96.15.212] (unknown [152.96.15.212]) by strongswan.org (Postfix) with ESMTP id 14B31EFA2A for <ipsec@ietf.org>; Tue, 16 Sep 2008 09:17:31 +0200 (CEST)
Message-ID: <48CF5D7D.7070701@strongswan.org>
Date: Tue, 16 Sep 2008 09:17:17 +0200
From: Martin Willi <martin@strongswan.org>
User-Agent: Thunderbird 2.0.0.16 (X11/20080724)
MIME-Version: 1.0
To: ipsec@ietf.org
Subject: [IPsec] Reauthentication extension for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org

Hi,

The reauthentication procedure for IKEv2 works as follows (from
draft-ietf-ipsecme-ikev2bis-00 2.8.2):

   IKEv2 does not have any special support for reauthentication.
   Reauthentication is done by creating a new IKE_SA from scratch (using
   IKE_SA_INIT/IKE_AUTH exchanges, without any REKEY_SA notify
   payloads), creating new CHILD_SAs within the new IKE_SA (without
   REKEY_SA notify payloads), and finally deleting the old IKE_SA (which
   deletes the old CHILD_SAs as well).

While this approach works and reuses existing protocol elements, it has
some disadvantages. The problem is that we actually can't know that an
incoming IKE_SA setup is used for reauthentication, as creating multiple
identical IKE_SAs is perfectly feasible.

1. If a lot CHILD_SAs are established within the IKE_SA, this procedure
   needs a lot of exchanges to complete, increase load and reauth
   duration. During this stage, we also have multiple CHILD_SAs with
   the same traffic selectors. Defining priorities is difficult, as
   we don't know if the new IKE_SA is actually for reauthentication or
   not.
2. The server doesn't know that the new IKE_SA creation is used for
   reauthentication and can't assign the same INTERNAL_ADDRESS to the
   peer without risking an address conflict. This will result in an
   address change and will close established connections using that
   address.
3. Housekeeping and connection monitoring gets ways more complicated,
   as the new IKE_SA does not have any relation to the old one.

Mainly because of 2., we have been forced to do the reauthentication
procedure by closing the IKE_SA before establishing the new one. This
will eliminate the address flicker, but introduces a connectivity gap of
seconds.

While there are workarounds to these problems, I don't see a way to
implement reauthentication properly and reliable. Because of these
problems I'm thinking about an extension to do the reauthentication
within an established IKE_SA (think of the existing rekeying procedure,
but with an additional AUTH/EAP exchange).

What do you think about such an extension? Already considered something
similar, or does your reauthentication procedure work hassle-free? I'm
wondering if we are the only ones facing these problems or if such an
extension would gain broader acceptance...

Regards,
Martin - strongSwan project

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

v2.23.0 | Report a Bug | By Email