Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa
"Valery Smyslov" <svanru@gmail.com> Thu, 27 November 2014 14:26 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05EBE1A802C for <ipsec@ietfa.amsl.com>; Thu, 27 Nov 2014 06:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKGSqkE-HwBB for <ipsec@ietfa.amsl.com>; Thu, 27 Nov 2014 06:26:10 -0800 (PST)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 931401A0111 for <ipsec@ietf.org>; Thu, 27 Nov 2014 06:26:09 -0800 (PST)
Received: by mail-lb0-f171.google.com with SMTP id n15so4237553lbi.2 for <ipsec@ietf.org>; Thu, 27 Nov 2014 06:26:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=8Iu2nxqGOket7x9Tj4060aFwKIL2QniLssqU60HdJDM=; b=0gTLHYXja8koGhAFBMGWBuuu5sDPpxHlaj2MdwxZ3Fg8kKft43pykJc6OBTCstfc5d E7nW4Im0FZVv3oGCNKD+C+5BomdnrcLH9IXQuP4rw6Limw6Gs+/ntqIVS03SikKvGO9i NWodnZ+mHB0JBUoaoAg/tiBAZwzaSFqR+Sh++ZTbwz1H1MQnEVqqK0A6WnxSBjQ8pXDQ utwy8bfgb2oIcVFeLD9sYMW2F7YAp6mHg4rNO0/QiKfM/yQwHcvk9QvbND/yG9T/bIIj ilOTzSuXFJtagEekCfKT4EwNzoI0HBYvQZGpxGUP3WqMEk+HvPYDDBKkY2RfmckQVo4X Qi7Q==
X-Received: by 10.152.4.233 with SMTP id n9mr23729833lan.61.1417098368050; Thu, 27 Nov 2014 06:26:08 -0800 (PST)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id m3sm1914189laa.10.2014.11.27.06.26.06 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 27 Nov 2014 06:26:07 -0800 (PST)
Message-ID: <73B67B471295424A839CDE89A4327503@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>, IPsecME WG <ipsec@ietf.org>
References: <FC0E9543-B2FE-48FE-8CBD-D3BDF2AA2B96@vpnc.org> <A8C8555BA51C4BDEBE348A4A6ABF33ED@buildpc> <54772059.80805@gmail.com>
Date: Thu, 27 Nov 2014 17:26:04 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="windows-1252"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/X2zv9xi245h5DzEEDVZwsAAp3Zw
Subject: Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 14:26:12 -0000
Hi Yaron, one disadvantage is that client in this case must know all the cluster's addresses beforehand. It is better when cluster itself makes decision when and where to move any particular client and client plays only passive role. And resumption tickets are intended to restore IKE SA with that particular gate, not to clone it. So tickets are one-time use. I think ticket management can become too complex if we want to allow client to have multiple tickets and to use them in any order with any of cluster member. Regards, Valery. ----- Original Message ----- From: "Yaron Sheffer" <yaronf.ietf@gmail.com> To: "Valery Smyslov" <svanru@gmail.com>; "Paul Hoffman" <paul.hoffman@vpnc.org>; "IPsecME WG" <ipsec@ietf.org> Sent: Thursday, November 27, 2014 4:00 PM Subject: Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa > <hat on: RFC 5723 co-author> > > Hi Valery, > > Have you looked at using session resumption (RFC 5723) for this, instead > of coming up with a new mechanism? > > Thanks, > Yaron > > On 11/27/2014 02:56 PM, Valery Smyslov wrote: >> Hi all, >> >> as a co-author of the draft I (obviously) support its adoption. >> >> I think that the mechanism it describes is useful and could be used >> as a building block for several solutions. For example, >> it can be used in load-sharing scenario when there are >> some gateways with different IP addresses, that share >> the same credentials. If client established IKE SA with >> any of them then the SA could be cloned and transfered >> to other nodes of this cluster without reauthentication, >> and the traffic from client then could be balanced >> among those gateways. >> >> Regards, >> Valery Smyslov. >> >> >> ----- Original Message ----- From: "Paul Hoffman" <paul.hoffman@vpnc.org> >> To: "IPsecME WG" <ipsec@ietf.org> >> Sent: Tuesday, November 25, 2014 11:06 PM >> Subject: [IPsec] Survey for WG interest in >> adoptingdraft-mglt-ipsecme-clone-ike-sa >> >> >>> <chair hats on> >>> >>> Greetings again. The "Clone IKE SA" proposal tries to optimize IKE SA >>> setup in cases where VPN gateways have multiple interfaces and want to >>> establish different SAs on the different interfaces without having to >>> repeat the IKE authentication. Instead, they could clone a single IKE >>> SA multiple times, and then move it to different interfaces using >>> MOBIKE. >>> >>> If you agree with the need to standardize this usage, and believe that >>> draft-mglt-ipsecme-clone-ike-sa is likely to be a good starting place >>> for that standardization, and are willing to review and contribute >>> text to the document if it is adopted by the WG, please say so on the >>> list. This WG has a history of adopting documents but then not having >>> enough reviewers for us to feel confident that we are making a good >>> standard, so we need to see a reasonable number of actively interested >>> people before we adopt the document. If it is not adopted, the authors >>> can ask for it to be published as an RFC through individual submission >>> or by the Independent Submissions Editor. >>> >>> Please reply by December 8, 2015. >>> >>> --Paul Hoffman and Yaron Sheffer >>> _______________________________________________ >>> IPsec mailing list >>> IPsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/ipsec >> >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] Survey for WG interest in adopting draft-… Paul Hoffman
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Yaron Sheffer
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Paul Wouters 🔓
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- [IPsec] Survey for WG interest in adopting draft-… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adoptingdra… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adopting dr… Yaron Sheffer
- [IPsec] load-sharing and draft-mglt-ipsecme-clone… Michael Richardson
- Re: [IPsec] Survey for WG interest in adopting dr… Daniel Migault
- Re: [IPsec] Survey for WG interest in adoptingdra… Daniel Migault