IETF Logo Mail Archive

Re: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03

Yoav Nir <ynir@checkpoint.com> Thu, 27 May 2010 07:03 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 810A83A68D6 for <ipsec@core3.amsl.com>; Thu, 27 May 2010 00:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.999
X-Spam-Level:
X-Spam-Status: No, score=-0.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cC79VnJdTewu for <ipsec@core3.amsl.com>; Thu, 27 May 2010 00:03:22 -0700 (PDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id D93D33A6843 for <ipsec@ietf.org>; Thu, 27 May 2010 00:03:21 -0700 (PDT)
X-CheckPoint: {4BFE258E-0-1B201DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o4R73App022722; Thu, 27 May 2010 10:03:10 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 27 May 2010 10:03:36 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: 'Jean-Michel Combes' <jeanmichel.combes@gmail.com>, Yaron Sheffer <yaronf.ietf@gmail.com>
Date: Thu, 27 May 2010 10:03:35 +0300
Thread-Topic: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03
Thread-Index: Acr81pTzYVMtNqmLT8WNAvhMJ6gHEwAAW8Eg
Message-ID: <006FEB08D9C6444AB014105C9AEB133FB48F1B5B14@il-ex01.ad.checkpoint.com>
References: <4BEFEAE6.2060700@gmail.com> <4BFC1384.2030905@gmail.com> <AANLkTikiJZgUdIoM7N-34hfX8dxk6SCaJ_Sczsacknq9@mail.gmail.com>
In-Reply-To: <AANLkTikiJZgUdIoM7N-34hfX8dxk6SCaJ_Sczsacknq9@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="windows-1255"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>
Subject: Re: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2010 07:03:23 -0000

1. I didn't want to make ha-03 dependent on bis, but since bis is now approved, we may as well do it.

2. OK

3. It should be out of scope, because this is internal to the cluster. We are not going to require a peer to accept having two SAs with the same SPIs with the same peer, so it's up to the members to prevent this using their own out-of-scope method. It is possible to mention this and then say that it's out of scope, if people think this is necessary. 

Yoav

-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of Jean-Michel Combes
Sent: Wednesday, May 26, 2010 4:22 PM
To: Yaron Sheffer
Cc: IPsecme WG
Subject: Re: [IPsec] Working Group LC: draft-ietf-ipsecme-ipsec-ha-03

Hi,

please, find my review of this document:

1.  Introduction

   IKEv2, as described in [RFC4306] and [RFC4718], and IPsec, as
   described in [RFC4301] and others, allows deployment of VPNs between
   different sites as well as from VPN clients to protected networks.

<JMC>
Instead of mentioning [RFC4306) and [RFC4718], maybe replace with
[draft-ietf-ipsecme-ikev2bis]?
<JMC>

[snip]

2.  Terminology

[snip]

   "Failover" is the event where a one member takes over some load from
   some other member.  In a hot standby cluster, this hapens when a
   standby memeber becomes active due to a failure of the former active

<JMC>
s/memeber/member
<JMC>

[snip]

3.  The Problem Statement

<JMC>
I didn't see anything about potential collisions (e.g. SPI for a
specific SA on a member of the cluster is already used on another
member) during a failover: is such an issue out of scope?
<JMC>

Thanks in advance for your reply.

Best regards.

JMC.


2010/5/25 Yaron Sheffer <yaronf.ietf@gmail.com>:
> With 5 more days to go, this is a quick reminder to review the problem
> statement draft so we can move it along, and get to the juicy protocol
> stuff.
>
> This time around, we will take silence as agreement.
>
> Thanks,
>        Yaron
>
> On 05/16/2010 03:53 PM, Yaron Sheffer wrote:
>>
>> This is to begin a 2 week working group last call for
>> draft-ietf-ipsecme-ipsec-ha-03
>> (http://tools.ietf.org/html/draft-ietf-ipsecme-ipsec-ha-03). The target
>> status for this document is Informational.
>>
>> Please send your comments to the ipsec list by May 30, 2010, as
>> follow-ups to this message.
>>
>> Brief comments of the form: "I have read this draft and it looks fine"
>> are also welcome.
>>
>> Quick heads up: this is a requirements definition draft. Once we have
>> determined consensus around it, we would like to move forward with
>> solutions. Individual solution drafts are welcome as usual, but we would
>> like to establish at some point a design team to hash out a common
>> solution document. Let us know by private mail if you're interested.
>>
>> Thanks,
>> Yaron
>
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
>
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email