Re: [IPsec] Draft: IKEv2/IPsec Context Definition

"Valery Smyslov" <> Fri, 21 February 2014 11:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F26731A00A2 for <>; Fri, 21 Feb 2014 03:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A9w58onH9pZH for <>; Fri, 21 Feb 2014 03:02:58 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c04::231]) by (Postfix) with ESMTP id 073D81A0089 for <>; Fri, 21 Feb 2014 03:02:57 -0800 (PST)
Received: by with SMTP id p9so366192lbv.8 for <>; Fri, 21 Feb 2014 03:02:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type; bh=OdBGyHWwpZBLyqQlIxxIkUlfhCXQpZNrAKD/42mjS0s=; b=m3iKV+DbUFBVc65vnxJYYM6pWSJhjQ+adHkRSeiWm5zVvIIXw2ViLSr0PMvgQDfSeA k7f2eCphmPlMEYdHs0Zilz7/wTSRT+SLs72lW1z13kbiUZPFNAU5kB3fSo9D4fzcWIyq mSO2Ymckp6RQcDSUXklJLR90ozItF+DTeLRbm2ewuSndSVed7I0bWRWrkRZB0VktgUTo FI2yi0vFNDGuLbTCowY4552MgPIaTlC3qrdlFOsgN+IxLJcdVy0hM9yMD8DuZ/DIGulF E8jdj31X0TzPtpxHgwZ2b/MYJ/TWgEvJw9ZDsf5Yud9fcvCr+7O8OCwyO3jPseBX8E9U irvw==
X-Received: by with SMTP id jo4mr3900375lab.69.1392980573346; Fri, 21 Feb 2014 03:02:53 -0800 (PST)
Received: from buildpc ([]) by with ESMTPSA id rt7sm7330327lbb.0.2014. for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 21 Feb 2014 03:02:48 -0800 (PST)
Message-ID: <7A4D82FA3EF546E499D0A0CD18C58153@buildpc>
From: "Valery Smyslov" <>
To: "Daniel Palomares" <>, <>
References: <>
Date: Fri, 21 Feb 2014 15:02:31 +0400
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_040F_01CF2F15.F1A75DD0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Subject: Re: [IPsec] Draft: IKEv2/IPsec Context Definition
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 21 Feb 2014 11:03:01 -0000


I have some comments regarding the draft.

First, I'm a bit puzzled by intended status of the draft: Standards Track.
>From my understanding this means, that the document defines some protocol,
that needs to be standardized to get interoperability. But the draft defines
no protocol, it just speculates on what contents of IKE/IPsec SA must contain.
While no doubt it is helpful, I think that the proper intended status for the draft
is Informational.

Then, I've been always thinking that the content of the IKE/IPsec SA is 
an implementation issue. The draft tries to mandate this content,
but it lacks plenty of absolutely needed information (this is especially true
for IKE SA), like MID counters, window bitmaps, lifetimes, credential information,
VIDs, features, statistics and so on. 

On the other hand, the draft tries to mandate one way of presenting some data, 
ignoring the fact that it is not the only (and probably not the best) way. For example,
instead of transferring nonces and DH secret to the other node one may 
transfer computed SK_* keys. This approach may have some advantages both 
from security and performance perspectives. 

Valery Smyslov.

  ----- Original Message ----- 
  From: Daniel Palomares 
  Sent: Thursday, February 13, 2014 6:09 PM
  Subject: [IPsec] Draft: IKEv2/IPsec Context Definition


  Please find a draft we have Posted. They concern the definition of IKEv2 and IPsec contexts. 
  Comments are welcome,


  Daniel Palomares

  Name:        draft-plmrs-ipsecme-ipsec-ikev2-context-definition.

  Revision: 00
  Title:       IKEv2/IPsec Context Definition
  Document date:    2014-02-12
  Group:        Individual Submission
  Pages:        8


     IPsec/IKEv2 clusters are constituted of multiple nodes accessed via a
     single address by the end user.  The traffic is then split between
     the nodes via specific IP load balancing policies.  Once a session is
     assigned to a given node, IPsec makes it difficult to assign the
     session to another node.  This makes management operations and
     transparent high availability for end users difficult to perform
     within the cluster.

     This document describes the contexts for IKEv2 and IPsec that MUST be
     transferred between two nodes so a session can be restored.  This
     makes possible to transfer an IPsec session transparently to the end


  Orange Labs, Issy-les-Moulineaux

  +33 6 34 23 07 88


  IPsec mailing list