ipsec February 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] NO_ADDITIONAL_SAS and IKE_AUTH

Re: [IPsec] NO_ADDITIONAL_SAS and IKE_AUTH

From: Vijay Devarapalli <dvijay_at_nospam>
Date: Tue Feb 03 2009 - 18:38:07 GMT
To: Yaron Sheffer <yaronf@checkpoint.com>, Tero Kivinen <kivinen@iki.fi>, Yoav Nir <ynir@checkpoint.com>


Hello,

Here is the proposed text for re-direct during IKE_AUTH exchange.

   If the gateway decides to re-direct the client during the IKE_AUTH    exchange, it prevents the creation of a CHILD SA by sending the    NO_ADDITIONAL_SAS Notify Payload in the IKE_AUTH response. It then    follows up with an INFORMATIONAL message with the REDIRECT payload    immediately. The following shows the message exchange between the    client and the gateway. Initiator Responder ( VPN GW) --------- -------------------

(IP_I:500 -> IP_R:500)

    HDR(A,0), SAi1, KEi, Ni, -->
    N(REDIRECTED_SUPPORTED) (IP_R:500 -> IP_I:500) <-- HDR(A,B), SAr1, KEr, Nr,[CERTREQ]

(IP_I:500 -> IP_R:500)

    HDR(A,B), SK {IDi, [CERT,] [CERTREQ,]     [IDr,]AUTH, SAi2, TSi, TSr} --> (IP_R:500 -> IP_I:500) <-- HDR(A,B), SK {IDr, [CERT,] AUTH, N(NO_ADDITIONAL_SAS)} <-- HDR, SK {N[REDIRECT, IP_R/FQDN_R]}

    HDR, SK {} -->    When the client receives the IKE_AUTH response with the    NO_ADDITIONAL_SAS payload from the gateway, it may decide to delete    the IKEv2 SA. In case the gateway receives the INFORMATIONAL message    to delete the IKEv2 SA before sending the REDIRECT message, then the    gateway includes the REDIRECT payload in the response along with the    DELETE payload.

Feel free to modify the text. A temporary pre04 version is at http://www.dvijay.com/ietf/internet-drafts/ipsec/draft-ietf-ipsecme-ikev2-redirect-04.txt

Vijay


IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

   © Copyright 2012 Guardian Digital, Inc. All Rights Reserved.