[IPsec] Fwd: Last Call: <draft-mglt-ipsecme-clone-ike-sa-05.txt> (Cloning IKE SA in the Internet Key Exchange Protocol Version 2 (IKEv2)) to Proposed Standard
"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 29 September 2015 22:48 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF8261B552F for <ipsec@ietfa.amsl.com>; Tue, 29 Sep 2015 15:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7dkVM-ecpAj4 for <ipsec@ietfa.amsl.com>; Tue, 29 Sep 2015 15:48:13 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD22E1B552E for <ipsec@ietf.org>; Tue, 29 Sep 2015 15:48:13 -0700 (PDT)
Received: from [10.32.60.79] (142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t8TMmC0U087052 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Tue, 29 Sep 2015 15:48:13 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 142-254-17-123.dsl.dynamic.fusionbroadband.com [142.254.17.123] claimed to be [10.32.60.79]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: IPsecME WG <ipsec@ietf.org>
Date: Tue, 29 Sep 2015 15:48:12 -0700
Message-ID: <EA641217-1A51-4BC6-AD0A-B7956E9A5BAA@vpnc.org>
References: <20150929214646.565.41905.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/4sYcszkRzBCJgzWMgQ1IL9cCm9Q>
Subject: [IPsec] Fwd: Last Call: <draft-mglt-ipsecme-clone-ike-sa-05.txt> (Cloning IKE SA in the Internet Key Exchange Protocol Version 2 (IKEv2)) to Proposed Standard
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 22:48:15 -0000
Of possible interest to people here. Responses to this should go to ietf@ietf.org, not to the IPsecME WG mailing list. Forwarded message: > From: The IESG <iesg-secretary@ietf.org> > To: IETF-Announce <ietf-announce@ietf.org> > Subject: Last Call: <draft-mglt-ipsecme-clone-ike-sa-05.txt> (Cloning > IKE SA in the Internet Key Exchange Protocol Version 2 (IKEv2)) to > Proposed Standard > Date: Tue, 29 Sep 2015 14:46:46 -0700 > > > The IESG has received a request from an individual submitter to > consider > the following document: > - 'Cloning IKE SA in the Internet Key Exchange Protocol Version 2 > (IKEv2)' > <draft-mglt-ipsecme-clone-ike-sa-05.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2015-10-27. Exceptionally, comments may > be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > > > This document considers a VPN End User establishing an IPsec SA with > a Security Gateway using the Internet Key Exchange Protocol Version 2 > (IKEv2), where at least one of the peers has multiple interfaces or > where Security Gateway is a cluster with each node having its own IP > address. > > With the current IKEv2 protocol, the outer IP addresses of the IPsec > SA are determined by those used by IKE SA. As a result using > multiple interfaces requires to set up an IKE SA on each interface, > or on each path if both the VPN Client and the Security Gateway have > multiple interfaces. Setting each IKE SA involves authentications > which might require multiple round trips as well as activity from the > VPN End User and thus would delay the VPN establishment. In addition > multiple authentications unnecessarily increase the load on the VPN > client and the authentication infrastructure. > > This document presents the solution that allows to clone IKEv2 SA, > where an additional SA is derived from an existing one. The newly > created IKE SA is set without the IKEv2 authentication exchange. > This IKE SA can later be assigned to another interface or moved to > another cluster mode using MOBIKE protocol. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > >
- [IPsec] Fwd: Last Call: <draft-mglt-ipsecme-clone… Paul Hoffman