[IPsec] Issue #154, was RE: Yet another closing session - issues #153-#157

Mon, 08 Feb 2010 11:46:44 -0800 

Hi Tero,

Going back to the original issue: there is no interoperable way to send 
"generic dummy packets". So it's OK if we mention dummy ESP packets, but 
anything else would be implementation specific. Even pings.

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf
> Of Tero Kivinen
> Sent: Monday, February 08, 2010 19:28
> To: Yoav Nir
> Cc: ipsec
> Subject: [IPsec] Yet another closing session - issues #153-#157
> 
> 
> > Issue #154 - Sending dummy messages during rekey
> > ================================================
> > Sec. 2.8: "An initiator MAY send a dummy message on a newly created
> > SA if it has no messages queued in order to assure the responder
> > that the initiator is ready to receive messages."
> > A dummy (higher level protocol) message on an IPsec SA is way out of
> > scope. Whether such messages even exist is a matter of local
> > implementation.
> > Or does the document refer to "dummy ESP messages" (RFC 4303, sec.
> > 2.6)? If so, please add the reference.
> >
> > I suspect that some implementations do not implement TFC, and so had
> > no reason to implement dummy messages. If this was a MUST here or
> > even a SHOULD, I would definitely object, but this is a MAY-level
> > requirement.
> >
> > I think we can close this by replacing "MAY send a dummy message on
> > a newly created SA..." with "MAY send a dummy ESP message on a newly
> > created ESP SA..."  (added ESP twice, because there are no dummy
> > messages in AH), and add a normative reference to RFC 4303 - no need
> > IMO to link from the text.
> 
> How about changing it to just say that "initiator can send a dummy
> message ...".
> 
> And the dummy message is not necessarely only those ones described in
> the RFC4303 section 2.6, it can be anything that is suitable for the
> scenario.
> 
> For example in the vpn setup where SA is set up during the autostart
> it can be simple ping packet or it can be just udp packet discard port
> whether is suitable for the environment.
> 
> This text is not describing what the dummy packet is, it is just
> saying you might want to (and can) send such packet to make sure other
> end knows you have the Child SA installed properly, so they can start
> sending packets back.
> 
> I do not think we really need to change anything in this text.
> 

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to