Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-sync-00.txt
"Peny Yang" <peng.yang.chn@gmail.com> Mon, 07 July 2008 15:05 UTC
Return-Path: <ipsec-bounces@ietf.org>
X-Original-To: ipsec-archive@megatron.ietf.org
Delivered-To: ietfarch-ipsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EC5713A6AE3; Mon, 7 Jul 2008 08:05:52 -0700 (PDT)
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 59B253A6AE3 for <ipsec@core3.amsl.com>; Mon, 7 Jul 2008 08:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id exRzKIKxJ37d for <ipsec@core3.amsl.com>; Mon, 7 Jul 2008 08:05:51 -0700 (PDT)
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224]) by core3.amsl.com (Postfix) with ESMTP id ABC3B3A6ACA for <ipsec@ietf.org>; Mon, 7 Jul 2008 08:05:40 -0700 (PDT)
Received: by wx-out-0506.google.com with SMTP id i29so981027wxd.31 for <ipsec@ietf.org>; Mon, 07 Jul 2008 08:05:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=b5n0xRC0c0NC6L6AvuiECVXv0uQ+aO1e+evvg6qwUHA=; b=hqzQgoOnqtCo471EwLYGW9NK2jy5SMqhurdmtXSrDofIsPLsbizN3MMpgL/mp3Q2jj ZEtf2s47YMZS9vznquf0K+o/wxro7haid2yDOmCSvDkTCCnGhx0m4LNJpuHaOVJHY/Ma bYPNdWX8qkXGGxl885QNIf0Opby/MSkMhNSMs=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=A8Eo08JFE1z6oHcZ8E2NQq+Kpawwd7BKjC5DDW84YMtx56rhtuXzJILkPV7/IKDUtP ntyjo1Z3mFC/0o5IL9EnSTuVEqQ7hCkTRkId/nnO4JMdRf0mIkjWZsRfc+mNZcVjE93z I56lejYEKMgdEpbz3up7TVYNXUxomNwFBfi0c=
Received: by 10.142.52.9 with SMTP id z9mr1338668wfz.30.1215443146171; Mon, 07 Jul 2008 08:05:46 -0700 (PDT)
Received: by 10.142.161.15 with HTTP; Mon, 7 Jul 2008 08:05:46 -0700 (PDT)
Message-ID: <4c5c7a6d0807070805v106ed03fpd319c656abc1e964@mail.gmail.com>
Date: Mon, 07 Jul 2008 23:05:46 +0800
From: Peny Yang <peng.yang.chn@gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
In-Reply-To: <403C9D3A-5D1B-43B6-91CF-078C7F209136@checkpoint.com>
MIME-Version: 1.0
Content-Disposition: inline
References: <029d01c8e00e$203b99c0$2302600a@hitachichina.com> <4c5c7a6d0807070205v484436c5y3b5ab836a7175f67@mail.gmail.com> <403C9D3A-5D1B-43B6-91CF-078C7F209136@checkpoint.com>
Cc: ipsec@ietf.org, paul.hoffman@vpnc.org
Subject: Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-sync-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Hi, Yoav: Firstly, thanks a lot for your comments. Please check my words in-line below: > Looks like we have a lot of drafts lately dealing with crash recovery: > IFARE, QCD, SIR, and now yours (in chronological order). > > Specifically, it looks like your proposal is competing with the IFARE > proposal: > http://www.ietf.org/internet-drafts/draft-sheffer-ipsec-failover-03.txt [Peny] Well, considering problem of the IPsec failover, some operator may need a stateful network-centric solution. > You may want to post to the list some cons/pros of your proposal vs > ipsec-failover. [Peny] Just as I mentioned above, this solution is about a stateful network-centric one to solve the problem of IPsec failover. Especially when we consider the possibility that the IPsec client may be cracked, our solution can be an useful alternative for operators. It only incurs a very small extension on the base IKEv2 protocol. And, I agree that our solution may need to be improved for the cases when the mobile IPsec client does the IKE SYNC during handover. But, such kind of cases are quite unusual. We will make the improvement in the following updates. > Specific comments about the draft: > - I think you should add a specific description about how keys are derived > with a successful stub lookup > - I think you should remove the text that deals with internal structure > (and the use of STL). We only need to know what the gateway should be able > to look up > - I'm not sure I understand section 3.6. I understand the format of the > SYN payload, but I don't get the stub-related signaling. Are you specifying > the signaling protocol between the gateways, or is that left as a local > matter? Is interoperability between different vendor's gateways a goal of > this specification? [Peny] Thank you very much for your comments. We will update our draft based on your comments within next week. Thank you again for your help. BRG Peny > > On Jul 7, 2008, at 12:05 PM, Peny Yang wrote: > > > > > Hi, folks: > > > > We have submitted the draft on IKEv2 SA synchronization. Please check it. > > Comments are more than welcome. > > > > And, if possible, I would like to apply for a slot to present our work > > in the incoming IPsec WG meeting in Dublin. > > > > Thanks a lot > > BRG > > Peny > > > > > > > > > > > > > > > -----Original Message----- > > > > From: i-d-announce-bounces@ietf.org > > > > > > > > > [mailto:i-d-announce-bounces@ietf.org] > > > > > > > > > On Behalf Of Internet-Drafts@ietf.org > > > > Sent: Monday, July 07, 2008 4:30 PM > > > > To: i-d-announce@ietf.org > > > > Subject: I-D Action:draft-xu-ike-sa-sync-00.txt > > > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > > > > directories. > > > > > > > > Title : IKE SA Synchronization > > > > Author(s) : Y. Xu, et al. > > > > Filename : draft-xu-ike-sa-sync-00.txt > > > > Pages : 17 > > > > Date : 2008-07-07 > > > > > > > > It will take a long time to do security association syncronization > > > > among IKE/IPsec gateways possibly maintaining huge numbers of IKEv2/ > > > > IPsec SAs. The major reason is that the prcocedure of IKEv2 SA re- > > > > establishment will incur a time-consuming computation especially in > > > > the Diffie-Hellman exchange. In this draft, a new IKE security > > > > associations synchronization solution is proposed to reduce the > > > > computation by directly transferring the indexed IKE SA from old > > > > gateway to new gateway, wherein the most expensive Diffie-Hellman > > > > calculation can be avoided. Without some time-consuming IKEv2 > > > > exchanges, the huge amount of IKE/IPsec SA synchronization procedures > > > > can be finished in a short time. > > > > > > > > A URL for this Internet-Draft is: > > > > > http://www.ietf.org/internet-drafts/draft-xu-ike-sa-sync-00.txt > > > > > > > > Internet-Drafts are also available by anonymous FTP at: > > > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > > > Below is the data which will enable a MIME compliant mail reader > > > > implementation to automatically retrieve the ASCII version of the > > > > Internet-Draft. > > > > > > > > > > > > > Scanned by Check Point Total Security Gateway. > > > <draft-xu-ike-sa-sync-00.txt>_______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-sync-… Peny Yang
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Yoav Nir
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Yaron Sheffer
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Peny Yang
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Peny Yang
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Paul Hoffman
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Yaron Sheffer
- Re: [IPsec] Fwd: FW: I-D Action:draft-xu-ike-sa-s… Hui Deng