[IPsec] load-sharing and draft-mglt-ipsecme-clone-ike-sa
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 04 December 2014 21:14 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 006051A1E0F for <ipsec@ietfa.amsl.com>; Thu, 4 Dec 2014 13:14:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66lGOsnyOU6P for <ipsec@ietfa.amsl.com>; Thu, 4 Dec 2014 13:14:43 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49D7F1A1EED for <ipsec@ietf.org>; Thu, 4 Dec 2014 13:14:40 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id B02182002A; Thu, 4 Dec 2014 16:18:03 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 1BF47637F5; Thu, 4 Dec 2014 16:14:38 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id F1179637F4; Thu, 4 Dec 2014 16:14:38 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <21624.32179.838590.460413@fireball.kivinen.iki.fi>
References: <FC0E9543-B2FE-48FE-8CBD-D3BDF2AA2B96@vpnc.org> <A8C8555BA51C4BDEBE348A4A6ABF33ED@buildpc> <alpine.LFD.2.10.1411271114320.7507@bofh.nohats.ca> <21624.32179.838590.460413@fireball.kivinen.iki.fi>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Thu, 04 Dec 2014 16:14:38 -0500
Message-ID: <7377.1417727678@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/CNtnjBu35kkSI1IC3hmSlf2MMOM
Cc: IPsecME WG <ipsec@ietf.org>, Valery Smyslov <svanru@gmail.com>, Paul Wouters <paul@nohats.ca>
Subject: [IPsec] load-sharing and draft-mglt-ipsecme-clone-ike-sa
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Dec 2014 21:14:47 -0000
Tero Kivinen <kivinen@iki.fi> wrote: >> > it can be used in load-sharing scenario when there are >> That would run into replay protection problems, just like if you copy >> all kernel IPsec state between machines. And I believe load sharing >> when properly done should be invisible to client side and not need >> special support. > Actually I tihnk the idea is to get rid of the replay protection > issues. In normal case if you just copy all IKE and IPsec state > between the servers, then you need to make sure you also copy all > replay data. If you clone the IKE SA, move the cloned IKE SA to new > IP-address (and new load sharing server in the cluster), and then > create the IPsec Child SAs there, then each of the replay data is only > located in the server you are talking to, and there is no need to move > replay data between the cluster members. Given the the original document is about making multiple interfaces work, in the degenerate case of a phone with 3G and wifi, it seems to me that the case where there are multiple gateways (probably with different ISPs) is just the degenerate case on speed/PCP. All that is to say that it seems we should adopt this document, if this is really a use case we care about. >> Throwing around private keys or computed shared secrets to multiple >> peers worry me. > Private keys do not need to be transmitted, only the SKEYSEED and > material generated from there needs to be transmitted (i.e. the > computed shared state). Doing load-sharing without the client > knowledge, do require exactly same material to be transmitted, but in > addition to that all the replay protection related material needs to > be transmitted also. I left this here: I think that load balancers often *do* share private keys, and I think this protocol could reduce this need. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [IPsec] Survey for WG interest in adopting draft-… Paul Hoffman
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Yaron Sheffer
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Paul Wouters 🔓
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- [IPsec] Survey for WG interest in adopting draft-… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adoptingdra… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adopting dr… Yaron Sheffer
- [IPsec] load-sharing and draft-mglt-ipsecme-clone… Michael Richardson
- Re: [IPsec] Survey for WG interest in adopting dr… Daniel Migault
- Re: [IPsec] Survey for WG interest in adoptingdra… Daniel Migault