RE: Error in ips-security-07

To: Black_David@emc.com
Subject: RE: Error in ips-security-07
From: Paul Koning <ni1d@arrl.net>
Date: Mon, 28 Jan 2002 10:35:33 -0500
Cc: ips@ece.cmu.edu
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii
References: <277DD60FB639D511AC0400B0D068B71E039C7EAE@CORPMX14>
Sender: owner-ips@ece.cmu.edu

Excerpt of message (sent 26 January 2002) by Black_David@emc.com:
> This is the infamous "dangling SA" issue discussed in ipsec
> in the past.  While I don't recall its resolution, the IKEv2
> draft prohibits dangling SAs, and the IPS Security draft is
> taking the same position.  OTOH, I seem to recall that IKEv1
> implementations differ on whether dangling SAs are allowed.
> Paul - are you suggesting that prohibiting dangling SAs
> would unnecessarily exclude some IKEv1 implementations to
> our detriment?

I'm not sure what "dangling SAs" are, or whether that term applies to
the case you're talking about here.  I'll have to look at IKEv2 to see
what the story is there.

As for IKEv1, the spec explicitly discusses deleting the Phase 1 SA
immediately after the Phase 2 negotation (Quick Mode) has been
performed, in situations where you want Perfect Forward Secrecy.   So
it's not just that this is silently permitted -- it is explicitly
recommended.  Therefore I think it is a very bad idea for the IPS
security spec to explicitly disallow that same behavior!

I've run into several implementations that built in an assumption that
the Phase 2 SA is subordinate to the Phase 1 SA.  That's simply a
wrong assumption, as the text I quoted makes clear, and such
assumptions caused interop problems in interop test sessions.  I
remember having to fix this bug in our implementation at some point.
We need to make sure we don't duplicate those bugs here.

In any event, I cannot see any reason for the IPS spec to discuss this
topic at all.  SAs should be deleted when the IKE/IPsec specs call for
their deletion and not otherwise.  Why should IPS care what those
rules are?  We already have a lot of dabbling in internal IPsec/IKE
detail going on in the IPS security spec.  Talking about requirements
subsetting is one thing -- restating IKE algorithms is quite another,
especially if the restatement conflicts with the authoritative text.

It *is* correct for the IPS spec to say what you do to a connection
when the SA protecting it goes away.  That's already covered (on page
12); the current text makes sense to me.

	paul

References:
- RE: Error in ips-security-07
  - From: Black_David@emc.com

Prev by Date: RE: iSCSI: Framing Steps
Next by Date: RE: iSCSI: not offering a key
Prev by thread: RE: Error in ips-security-07
Next by thread: iSCSI: Framing Steps
Index(es):
- Date
- Thread

Home

Last updated: Mon Jan 28 11:18:05 2002
8513 messages in chronological order