Hi Yaron,
one disadvantage is that client in this case
must know all the cluster's addresses beforehand.
It is better when cluster itself makes decision
when and where to move any particular client
and client plays only passive role.
And resumption tickets are intended to
restore IKE SA with that particular gate, not to clone it.
So tickets are one-time use. I think ticket management
can become too complex if we want to allow
client to have multiple tickets and to use them
in any order with any of cluster member.
Regards,
Valery.
----- Original Message -----
From: "Yaron Sheffer" <yaronf.i...@gmail.com>
To: "Valery Smyslov" <sva...@gmail.com>; "Paul Hoffman"
<paul.hoff...@vpnc.org>; "IPsecME WG" <ipsec@ietf.org>
Sent: Thursday, November 27, 2014 4:00 PM
Subject: Re: [IPsec] Survey for WG interest in
adoptingdraft-mglt-ipsecme-clone-ike-sa
<hat on: RFC 5723 co-author>
Hi Valery,
Have you looked at using session resumption (RFC 5723) for this, instead
of coming up with a new mechanism?
Thanks,
Yaron
On 11/27/2014 02:56 PM, Valery Smyslov wrote:
Hi all,
as a co-author of the draft I (obviously) support its adoption.
I think that the mechanism it describes is useful and could be used
as a building block for several solutions. For example,
it can be used in load-sharing scenario when there are
some gateways with different IP addresses, that share
the same credentials. If client established IKE SA with
any of them then the SA could be cloned and transfered
to other nodes of this cluster without reauthentication,
and the traffic from client then could be balanced
among those gateways.
Regards,
Valery Smyslov.
----- Original Message ----- From: "Paul Hoffman" <paul.hoff...@vpnc.org>
To: "IPsecME WG" <ipsec@ietf.org>
Sent: Tuesday, November 25, 2014 11:06 PM
Subject: [IPsec] Survey for WG interest in
adoptingdraft-mglt-ipsecme-clone-ike-sa
<chair hats on>
Greetings again. The "Clone IKE SA" proposal tries to optimize IKE SA
setup in cases where VPN gateways have multiple interfaces and want to
establish different SAs on the different interfaces without having to
repeat the IKE authentication. Instead, they could clone a single IKE
SA multiple times, and then move it to different interfaces using
MOBIKE.
If you agree with the need to standardize this usage, and believe that
draft-mglt-ipsecme-clone-ike-sa is likely to be a good starting place
for that standardization, and are willing to review and contribute
text to the document if it is adopted by the WG, please say so on the
list. This WG has a history of adopting documents but then not having
enough reviewers for us to feel confident that we are making a good
standard, so we need to see a reasonable number of actively interested
people before we adopt the document. If it is not adopted, the authors
can ask for it to be published as an RFC through individual submission
or by the Independent Submissions Editor.
Please reply by December 8, 2015.
--Paul Hoffman and Yaron Sheffer
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
