Re: [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey

To: Joy Latten <latten at austin.ibm.com>
Subject: Re: [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey
From: Matthew Cini Sarreo <mcins1 at gmail.com>
Date: Thu, 16 Apr 2009 14:58:30 +0200
Cc: "ipsec at ietf.org" <ipsec at ietf.org>
Delivered-to: ipsec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ZfNnHf0zrUVGbhV8oMwp6cZ1x5qdDiaGgwo9PqyeZms=; b=vISkCIy8H30Ga8e1blbytHGNVIUDOFzyz6WnMRt2eDwB7/jWIq/U2SBVGEU5vqEKtb Om5j5PXLdMQlJuD6SC/TQlf524yzfRT1hOLiiW82aVW7PsvC6d//pgtRUfCDBlG4kJI3 E3hu9e/qv42I85Ua5Aqrz6ojyCFPMieMwjq9M=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=l6bbhdpueOpI6Gx2HGXLlJumHayozBZfgY7ljkU8em/0FbtcADVt6gmgrEHjW+SDm8 V428H4AAOvREYUbDy2KJrodMTD6JJx+rhjjWy3QmfIgmZvqyJfPqv7o562mRswiK2ySH vcOEkcX3PoSqlWs8aBYbD9MPpwIRl+PuYNvf4=
In-reply-to: <1236809211.3129.92.camel at faith.austin.ibm.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC8D9A7D2EC73 at il-ex01.ad.checkpoint.com> <1236809211.3129.92.camel at faith.austin.ibm.com>

I don't know the current status about this.

I would suggest that this could be left as it currently is. When reading the section about rekeying IKE SAs (1.3.2), it is easily deduced that rekeying will have the effect of resetting the Message IDs of the SA to 0. Section 2.18 also states this.

Perhaps, having a single paragraph discussing Rekeying of IKE SAs using the CREATE_CHILD_SA exchange would make understanding the process faster. In 2.2, the reader could be redirected to the new, unified section about rekeying after the section (2.2) states that Message IDs are reset when rekeying an IKE SA. Maybe something like:

2.2. Use of Sequence Numbers for Message ID

The Message ID is a 32-bit quantity, which is zero for the IKE_SA_INIT messages (including retries of the message due to responses such as COOKIE and INVALID_KE_PAYLOAD), and when an IKE SA is being rekeyed (the new IKE SA that will take place of the expiring SA MUST have the Message ID set to 0). For information about rekeying, see section Rekeying an IKE_SA with CREATE_CHILD_SA. The Message ID is then incremened for each subsequent exchange.

2009/3/11 Joy Latten <latten at austin.ibm.com>

On Tue, 2009-03-03 at 20:18 +0200, Yaron Sheffer wrote:
> 2.2. Use of Sequence Numbers for Message ID
>
> The Message ID is a 32-bit quantity, which is zero for the IKE_SA_INIT
> messages (including retries of the message due to responses such as
> COOKIE and INVALID_KE_PAYLOAD {{ Clarif-2.2 }}), and incremented for
> each subsequent exchange.
>
> Tero:
>
> Add text:
>
> The Message ID is reset to zero also after IKE SA rekey for the new
> IKE SA.
>

That paragraph has another sentence "Rekeying an IKE SA resets the
sequence numbers." Perhaps the above and this could be
combined. Something like:

Rekeying an IKE SA resets the sequence number counter to zero for the
new IKE SA.

regards,
Joy

_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

References:
- [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey
  - From: Yaron Sheffer
- Re: [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey
  - From: Joy Latten

Prev by Date: Re: [IPsec] WG Last Call: draft-ietf-ipsecme-ikev2-redirect-08
Next by Date: [IPsec] I-D Action:draft-ietf-ipsecme-esp-null-heuristics-00.txt
Previous by thread: Re: [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey
Next by thread: [IPsec] Issue #34 Message ID still undefined, do not mention
Index(es):
- Date
- Thread

Re: [IPsec] Issue #15: Message ID reset to 0 after IKE SA rekey

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.