Re: [IPsec] Agenda for IETF 100
"Valery Smyslov" <svanru@gmail.com> Sun, 29 October 2017 06:55 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F2113F6B4 for <ipsec@ietfa.amsl.com>; Sat, 28 Oct 2017 23:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.861
X-Spam-Level:
X-Spam-Status: No, score=-0.861 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, STOX_REPLY_TYPE=0.439] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uZK5qDuzL-n for <ipsec@ietfa.amsl.com>; Sat, 28 Oct 2017 23:55:46 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 588AF13F6B0 for <ipsec@ietf.org>; Sat, 28 Oct 2017 23:55:46 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id 90so11374526lfs.13 for <ipsec@ietf.org>; Sat, 28 Oct 2017 23:55:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:from:to:references:in-reply-to:subject:date:mime-version :content-transfer-encoding:importance; bh=N96hcG53HVzKcCsJxJL8t39NYrXlfvr/c+NallmjQUw=; b=hbuvdqVbDjM9RdaFmoeoqcvuL9cSZlJDK4DZZsiX+Y1emxQ2TaZaFn9vVQBFikOLbU 1h/R3kGMQnmgI/oRc31xwPh6fC2xpOPsJ6cvupsYscCdW0mmoNa+U99ARNjn2UrGXUul 0hJFobBHWmJXJ3h6a5zNVJcKcT9Uu4QqmzBdrXBof78ys4SixPbhrKtsFuyII+ALq9CZ CIBa9efNJWjgNf7tzY5TAyyQGhvCpdWf/LsL5K1L/k/HNA0oYbtfilBK1VbXdlFcO0po O3kMJ+9LYNLOI5ayWrodtNo9Zmc2XP09SH24eso7aCs0OccsjtwmLh72R7csNuZtBjWZ 1Vpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:from:to:references:in-reply-to :subject:date:mime-version:content-transfer-encoding:importance; bh=N96hcG53HVzKcCsJxJL8t39NYrXlfvr/c+NallmjQUw=; b=UnQ0CD4Iv1tejuZD+M2gh8uRWEKey2LPrSdxCvQQ3Y5lVeyQ8/Z3z1XtngJ6G+yuRz zAr6ypCdh4DZd5jCUVJKPee6hb2x/wWZTcQn30ifA+h//8oq9DQloeG2fhb1g2wXXcDm uVHu+4ZWDA7RIhKSilRCH9XjjK7Q+bos0RtJbWUN4Y7alVGYaqW9F7vVmc62z7fTVPnd GQ/4kNx6Xo/LkXefdEnQWSeSezB1REgjV+tE/vUl0MSSytZhRDoVnsHMAlOk4lfPiNz0 0rjLS/oDwBa5xRM9/0RyxThWV/4eYfCKzJ54Lt/tzdeH3vunTq7x0hDPdMB5kGkF90yY shcg==
X-Gm-Message-State: AMCzsaXPwE0ZhZQNfAgW0XZHgrJA+lW7lUy9GEM7dxw8KkOyGvZy0Xbm lwYKVfl+GG2zMY2UonEJwz0=
X-Google-Smtp-Source: ABhQp+S8SD+mRj7KelSF2wPLRIPOTdV6sJtZj758kn1n4wCR9+NRNHrLmg8xAW6wI8jVocCu/Letig==
X-Received: by 10.46.89.146 with SMTP id g18mr2014831ljf.53.1509260144678; Sat, 28 Oct 2017 23:55:44 -0700 (PDT)
Received: from chichi (ppp83-237-164-110.pppoe.mtu-net.ru. [83.237.164.110]) by smtp.gmail.com with ESMTPSA id h86sm2191577lfl.59.2017.10.28.23.55.43 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 28 Oct 2017 23:55:44 -0700 (PDT)
Message-ID: <B1AE800296E4451D97B9D65D87019A68@chichi>
From: Valery Smyslov <svanru@gmail.com>
To: "Hu, Jun (Nokia - US/Mountain View)" <jun.hu@nokia.com>, 'Tero Kivinen' <kivinen@iki.fi>, ipsec@ietf.org
References: <23026.13858.483048.716056@fireball.acr.fi> <0fda01d34f33$1600bd70$42023850$@gmail.com> <HE1PR07MB14177D7CEDF8D0C7284F3EDC955B0@HE1PR07MB1417.eurprd07.prod.outlook.com> <8BB6B1152F22407784D0AFDF777FB982@chichi> <HE1PR07MB14173E915F512CA58222C178955B0@HE1PR07MB1417.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB14173E915F512CA58222C178955B0@HE1PR07MB1417.eurprd07.prod.outlook.com>
Date: Sun, 29 Oct 2017 09:55:42 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 16.4.3528.331
X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/W-iE4H-bHcw-WYIXjoA51AHTuag>
Subject: Re: [IPsec] Agenda for IETF 100
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Oct 2017 06:55:48 -0000
Hi, >> The problem with IKE Redirect is that it requires IKE SA to be re-established >> from scratch. >> It consumes quite a lot of resources and takes noticeable amount of time. >> Moreover, in some cases it could require human interaction (in case of some >> EAP methods or if access to client's credentials requires entering PIN), so it >> may be inappropriate. >> The idea is to have a solution that utilizes already established IKE SA and >> moves it (along with its Child SAs) from one cluster member to another >> without creating new IKE SA. > > [HJ] two questions: > 1. this sound interesting, however how to do it securely is the most important question, do you already have draft? draft-smyslov-ipsecme-ikev2-r-mobike > 2. if the use case is load-balance, then wouldn't it be better off to make a selection right upon client connects > (e.g. redirect during IKE_AUTH) than move SA around after tunnel is established ? This is definitely an option (ant even can be achieved with IKE redirect). However, once client is connected you cannot move it to another member, so depending on clients' activity members load can become very uneven and you cannot balance it without forcing clients to reconnet. The desire is to be able to dynamically balance members load. Regards, Valery.
- [IPsec] Agenda for IETF 100 Tero Kivinen
- Re: [IPsec] Agenda for IETF 100 Yoav Nir
- Re: [IPsec] Agenda for IETF 100 Valery Smyslov
- Re: [IPsec] Agenda for IETF 100 Tommy Pauly
- Re: [IPsec] Agenda for IETF 100 Daniel Migault
- Re: [IPsec] Agenda for IETF 100 shogunx
- Re: [IPsec] Agenda for IETF 100 Paul Wouters
- Re: [IPsec] Agenda for IETF 100 Valery Smyslov
- Re: [IPsec] Agenda for IETF 100 Daniel Migault
- Re: [IPsec] Agenda for IETF 100 Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Agenda for IETF 100 Valery Smyslov
- Re: [IPsec] Agenda for IETF 100 Hu, Jun (Nokia - US/Mountain View)
- Re: [IPsec] Agenda for IETF 100 Paul Wouters
- Re: [IPsec] Agenda for IETF 100 Valery Smyslov
- Re: [IPsec] Agenda for IETF 100 Daniel Migault
- Re: [IPsec] Agenda for IETF 100 Hu, Jun (Nokia - US/Mountain View)