On Thu, 27 Nov 2014, Valery Smyslov wrote:
I think that the mechanism it describes is useful and could be used
as a building block for several solutions. For example,
it can be used in load-sharing scenario when there are
some gateways with different IP addresses, that share
the same credentials. If client established IKE SA with
any of them then the SA could be cloned and transfered
to other nodes of this cluster without reauthentication,
and the traffic from client then could be balanced
among those gateways.
That would run into replay protection problems, just like if you copy
all kernel IPsec state between machines. And I believe load sharing
when properly done should be invisible to client side and not need
special support.
Greetings again. The "Clone IKE SA" proposal tries to optimize IKE SA setup
in cases where VPN gateways have multiple interfaces and want to establish
different SAs on the different interfaces without having to repeat the IKE
authentication. Instead, they could clone a single IKE SA multiple times,
and then move it to different interfaces using MOBIKE.
If you agree with the need to standardize this usage, and believe that
draft-mglt-ipsecme-clone-ike-sa is likely to be a good starting place for
that standardization, and are willing to review and contribute text to the
document if it is adopted by the WG, please say so on the list.
I am interested in the problem, but have bad feelings about throwing
around IKE states from two peers to another peer, which this
mechanism seems to leave open. For instance, I would much rather see
some informational exchange method or create child sa method using the
existing IKE SA for conveying this information and somehow creatie the
additional new Child SA.
Throwing around private keys or computed shared secrets to multiple
peers worry me.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
