Re: [IPsec] Draft: IKEv2/IPsec Context Definition
"Valery Smyslov" <svanru@gmail.com> Fri, 21 February 2014 11:03 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F26731A00A2 for <ipsec@ietfa.amsl.com>; Fri, 21 Feb 2014 03:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9w58onH9pZH for <ipsec@ietfa.amsl.com>; Fri, 21 Feb 2014 03:02:58 -0800 (PST)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) by ietfa.amsl.com (Postfix) with ESMTP id 073D81A0089 for <ipsec@ietf.org>; Fri, 21 Feb 2014 03:02:57 -0800 (PST)
Received: by mail-lb0-f177.google.com with SMTP id p9so366192lbv.8 for <ipsec@ietf.org>; Fri, 21 Feb 2014 03:02:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type; bh=OdBGyHWwpZBLyqQlIxxIkUlfhCXQpZNrAKD/42mjS0s=; b=m3iKV+DbUFBVc65vnxJYYM6pWSJhjQ+adHkRSeiWm5zVvIIXw2ViLSr0PMvgQDfSeA k7f2eCphmPlMEYdHs0Zilz7/wTSRT+SLs72lW1z13kbiUZPFNAU5kB3fSo9D4fzcWIyq mSO2Ymckp6RQcDSUXklJLR90ozItF+DTeLRbm2ewuSndSVed7I0bWRWrkRZB0VktgUTo FI2yi0vFNDGuLbTCowY4552MgPIaTlC3qrdlFOsgN+IxLJcdVy0hM9yMD8DuZ/DIGulF E8jdj31X0TzPtpxHgwZ2b/MYJ/TWgEvJw9ZDsf5Yud9fcvCr+7O8OCwyO3jPseBX8E9U irvw==
X-Received: by 10.152.115.132 with SMTP id jo4mr3900375lab.69.1392980573346; Fri, 21 Feb 2014 03:02:53 -0800 (PST)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id rt7sm7330327lbb.0.2014.02.21.03.02.47 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 21 Feb 2014 03:02:48 -0800 (PST)
Message-ID: <7A4D82FA3EF546E499D0A0CD18C58153@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Daniel Palomares <daniel.palomares.ietf@gmail.com>, ipsec@ietf.org
References: <CAHf5+hrQ52GPKsAZJF4ZyhFNXgwZJOTEm8u-KKqVbta6Bj=N1g@mail.gmail.com>
Date: Fri, 21 Feb 2014 15:02:31 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_040F_01CF2F15.F1A75DD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/RupHoeVNkZzDIHOuTqCjrRGRj9k
Subject: Re: [IPsec] Draft: IKEv2/IPsec Context Definition
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 11:03:01 -0000
Hi, I have some comments regarding the draft. First, I'm a bit puzzled by intended status of the draft: Standards Track. >From my understanding this means, that the document defines some protocol, that needs to be standardized to get interoperability. But the draft defines no protocol, it just speculates on what contents of IKE/IPsec SA must contain. While no doubt it is helpful, I think that the proper intended status for the draft is Informational. Then, I've been always thinking that the content of the IKE/IPsec SA is an implementation issue. The draft tries to mandate this content, but it lacks plenty of absolutely needed information (this is especially true for IKE SA), like MID counters, window bitmaps, lifetimes, credential information, VIDs, features, statistics and so on. On the other hand, the draft tries to mandate one way of presenting some data, ignoring the fact that it is not the only (and probably not the best) way. For example, instead of transferring nonces and DH secret to the other node one may transfer computed SK_* keys. This approach may have some advantages both from security and performance perspectives. Regards, Valery Smyslov. ----- Original Message ----- From: Daniel Palomares To: ipsec@ietf.org Sent: Thursday, February 13, 2014 6:09 PM Subject: [IPsec] Draft: IKEv2/IPsec Context Definition Hi, Please find a draft we have Posted. They concern the definition of IKEv2 and IPsec contexts. Comments are welcome, BR, Daniel Palomares Name: draft-plmrs-ipsecme-ipsec-ikev2-context-definition. Revision: 00 Title: IKEv2/IPsec Context Definition Document date: 2014-02-12 Group: Individual Submission Pages: 8 URL:http://www.ietf.org/id/draft-plmrs-ipsecme-ipsec-ikev2-context-definition-00.txt Status:https://datatracker.ietf.org/doc/draft-plmrs-ipsecme-ipsec-ikev2-context-definition/ Htmlized: http://tools.ietf.org/html/draft-plmrs-ipsecme-ipsec-ikev2-context-definition-00 Abstract IPsec/IKEv2 clusters are constituted of multiple nodes accessed via a single address by the end user. The traffic is then split between the nodes via specific IP load balancing policies. Once a session is assigned to a given node, IPsec makes it difficult to assign the session to another node. This makes management operations and transparent high availability for end users difficult to perform within the cluster. This document describes the contexts for IKEv2 and IPsec that MUST be transferred between two nodes so a session can be restored. This makes possible to transfer an IPsec session transparently to the end user. Daniel PALOMARES Orange Labs, Issy-les-Moulineaux +33 6 34 23 07 88 ------------------------------------------------------------------------------ _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Migault
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition yogendra pal
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Valery Smyslov
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Valery Smyslov
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Yaron Sheffer
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Palomares
- Re: [IPsec] Draft: IKEv2/IPsec Context Definition Daniel Migault