Re: [IPsec] IKEv2 for load-sharing
"Prashant Batra (prbatra)" <prbatra@cisco.com> Mon, 29 August 2011 06:30 UTC
Return-Path: <prbatra@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 557DE21F88B6 for <ipsec@ietfa.amsl.com>; Sun, 28 Aug 2011 23:30:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.224
X-Spam-Level:
X-Spam-Status: No, score=-6.224 tagged_above=-999 required=5 tests=[AWL=-4.225, BAYES_00=-2.599, J_CHICKENPOX_57=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CMfwQQyVnS1n for <ipsec@ietfa.amsl.com>; Sun, 28 Aug 2011 23:30:26 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 87BDD21F886F for <ipsec@ietf.org>; Sun, 28 Aug 2011 23:30:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=prbatra@cisco.com; l=1990; q=dns/txt; s=iport; t=1314599510; x=1315809110; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=6iE1zbtOCD0frl/mMvVaiClhNVRHqMeUJU9Wc0Du8IM=; b=dIqNaiT38QTFlWmDcP3/WZ183ax6ESG4hhoMB1z2Jtv3q8lvgkbEHRQ+ T6j8nvqF2ku/7yBVZ7Ki2AXCcxlPu/mrag2oIkjWQtsHj72r5Ufrg/YPm 9a773u4upgXdH+6dI0Usbdxxv4lraXi0aPUYabQF3SmcN6dWJ9yRcC9rI E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ArAAABQyW06rRDoH/2dsb2JhbAA5CZgZj153gUABAQEBAgESAR0KPwUHBAIBCBEEAQELBhcBBgFFCQgBAQQLCAgah1CYKwGddoMpgkNgBIdikFSLdQ
X-IronPort-AV: E=Sophos;i="4.68,295,1312156800"; d="scan'208";a="17318360"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by rcdn-iport-2.cisco.com with ESMTP; 29 Aug 2011 06:31:49 +0000
Received: from xbh-bgl-412.cisco.com (xbh-bgl-412.cisco.com [72.163.129.202]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p7T6VSwU030136; Mon, 29 Aug 2011 06:31:48 GMT
Received: from xmb-bgl-419.cisco.com ([72.163.129.215]) by xbh-bgl-412.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 29 Aug 2011 12:01:40 +0530
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 29 Aug 2011 12:01:40 +0530
Message-ID: <B97B134FACB2024DB45F524AB0A7B7F20442F0B7@XMB-BGL-419.cisco.com>
In-Reply-To: <38DBEE0E-51CA-4808-8D04-F1EF54E1E601@vpnc.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [IPsec] IKEv2 for load-sharing
Thread-Index: AcxkIGLTHZQYfgbBRQSFOF3wK5tgCAB9DtEg
References: <B97B134FACB2024DB45F524AB0A7B7F2042C10FD@XMB-BGL-419.cisco.com> <38DBEE0E-51CA-4808-8D04-F1EF54E1E601@vpnc.org>
From: "Prashant Batra (prbatra)" <prbatra@cisco.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-OriginalArrivalTime: 29 Aug 2011 06:31:40.0552 (UTC) FILETIME=[4FC46880:01CC6615]
Cc: ipsec@ietf.org
Subject: Re: [IPsec] IKEv2 for load-sharing
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2011 06:30:30 -0000
Hi Paul, I think, if we are able to deduce some efficient way of doing this, it can add value. A highly scalable and redundant deployment might use some good amount of load-sharing(can scale upto 4/5 sessions). In such scenarios, doing complete IKEv2 exchanges doesn't seems efficient or seems redundant. If you or the group can appreciate this, I can think and come up with some ideas. Regards, Prashant -----Original Message----- From: Paul Hoffman [mailto:paul.hoffman@vpnc.org] Sent: Saturday, August 27, 2011 12:16 AM To: Prashant Batra (prbatra) Cc: ipsec@ietf.org Subject: Re: [IPsec] IKEv2 for load-sharing On Aug 26, 2011, at 11:06 AM, Prashant Batra (prbatra) wrote: > Hello, > > RFC-4555 (IKEv2 Mobility and Multihoming Protocol (MOBIKE)) defines the extension of IKEv2 to support mobile users to offer seamless services when connected using IPSec > and also the support for SCTP multi-homing in override mode. > > To support a load-share model for SCTP(2 associations) or for that matter for any transport protocol between 2 gateways/nodes, 2 IKEv2 tunnels are needed between the same pair of gw/nodes. > According to the current standards, the same pair of gateways has to go through complete IKEv2 exchange twice(atleast 2, INIT and AUTH) to provide such a service. > So, speaking the number of IKEv2 and IPSec tunnels needed between the gateways will increase with the increase in the amount of load-sharing and thus time to establish these tunnels. > > Going by the fact that the identity at both the gateways would be authenticated in the first tunnel establishment, is there a better way to achieve load-sharing? By "better" I assume you mean "more efficient". If so, there probably is a "better" way to do it, but at the cost of greater complexity. I vaguely remember this being discussed in MOBIKE, but dismissed as too complicated for the value. Others here might remember more. --Paul Hoffman
- [IPsec] IKEv2 for load-sharing Prashant Batra (prbatra)
- Re: [IPsec] IKEv2 for load-sharing Paul Hoffman
- Re: [IPsec] IKEv2 for load-sharing Prashant Batra (prbatra)