Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa
"Valery Smyslov" <svanru@gmail.com> Fri, 28 November 2014 11:43 UTC
Return-Path: <svanru@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03E501A1B39 for <ipsec@ietfa.amsl.com>; Fri, 28 Nov 2014 03:43:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7DdZRtdXO2Q for <ipsec@ietfa.amsl.com>; Fri, 28 Nov 2014 03:43:50 -0800 (PST)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0E201A1B07 for <ipsec@ietf.org>; Fri, 28 Nov 2014 03:43:49 -0800 (PST)
Received: by mail-la0-f50.google.com with SMTP id pn19so4713314lab.23 for <ipsec@ietf.org>; Fri, 28 Nov 2014 03:43:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:from:to:cc:references:subject:date:mime-version :content-type:content-transfer-encoding; bh=3r1IcK0ObK3jC53RYnM8GaOUCrvPZh1ZCU41AAmNWhU=; b=S0q4KO3HH3YRccL+Vb1lNdzwSScJ9gsoNdPBvGrsJGcQGP4Yixc9vNV/blgnORKdLO O729lwtw7bAJw0eTyoiKbPY0l0pnCTmhuV+VB7T4X5zZq/7EzMlOIhp9hGfsp/i6CBuI egCRjqzw256MTfsW8YSZ7Iu0hS9QwjXZ07nDAM77sKgvuxVT+B7lDSVVl97JVcjvA1Ho b64sHKFmPXgnzNJdrGaqCQ6me6Q6JZz7MGOecDBSV3DUl1Qtr6g4V39Ib8LVT++FZ9MB 11qiQDyeuiy4dKIjRt36hlrSkWu6kVVAKXlL5Qz6z32wspukuwOpir+ubVRnibvb5RHw qNHA==
X-Received: by 10.152.6.166 with SMTP id c6mr43476562laa.20.1417175028503; Fri, 28 Nov 2014 03:43:48 -0800 (PST)
Received: from buildpc ([93.188.44.200]) by mx.google.com with ESMTPSA id f4sm2539542laa.9.2014.11.28.03.43.47 for <multiple recipients> (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 28 Nov 2014 03:43:47 -0800 (PST)
Message-ID: <B33CA054BF5747E4B8D95A9259F82081@buildpc>
From: Valery Smyslov <svanru@gmail.com>
To: Paul Wouters ?? <paul@nohats.ca>
References: <FC0E9543-B2FE-48FE-8CBD-D3BDF2AA2B96@vpnc.org> <A8C8555BA51C4BDEBE348A4A6ABF33ED@buildpc> <alpine.LFD.2.10.1411271114320.7507@bofh.nohats.ca>
Date: Fri, 28 Nov 2014 14:43:52 +0300
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="response"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/n-LiZVzlJh4u6e4d9Nn2r5ERNQQ
Cc: IPsecME WG <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 11:43:52 -0000
Hi Paul, >> I think that the mechanism it describes is useful and could be used >> as a building block for several solutions. For example, >> it can be used in load-sharing scenario when there are >> some gateways with different IP addresses, that share >> the same credentials. If client established IKE SA with >> any of them then the SA could be cloned and transfered >> to other nodes of this cluster without reauthentication, >> and the traffic from client then could be balanced >> among those gateways. > > That would run into replay protection problems, just like if you copy > all kernel IPsec state between machines. Why? If I copy only IKE SA and then create IPsec SAs on new gateway there will be no need to copy kernel IPsec states and deal with replay protection. > And I believe load sharing > when properly done should be invisible to client side and not need > special support. I agree with you in general, but I don't think it is always feasible in case of IPsec without some cooperation with client (or you will really need to share kernel IPsec state between cluster nodes). >>> Greetings again. The "Clone IKE SA" proposal tries to optimize IKE SA >>> setup in cases where VPN gateways have multiple interfaces and want to >>> establish different SAs on the different interfaces without having to >>> repeat the IKE authentication. Instead, they could clone a single IKE SA >>> multiple times, and then move it to different interfaces using MOBIKE. >>> >>> If you agree with the need to standardize this usage, and believe that >>> draft-mglt-ipsecme-clone-ike-sa is likely to be a good starting place >>> for that standardization, and are willing to review and contribute text >>> to the document if it is adopted by the WG, please say so on the list. > > I am interested in the problem, but have bad feelings about throwing > around IKE states from two peers to another peer, which this > mechanism seems to leave open. For instance, I would much rather see > some informational exchange method or create child sa method using the > existing IKE SA for conveying this information and somehow creatie the > additional new Child SA. Isn't this similar to what resumption does? > Throwing around private keys or computed shared secrets to multiple > peers worry me. It is often unavoidable in case of clusters. And of course all due precautions need to be taken in this case to minimize chances to leak information. Valery. > Paul
- [IPsec] Survey for WG interest in adopting draft-… Paul Hoffman
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Yaron Sheffer
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Paul Wouters 🔓
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- [IPsec] Survey for WG interest in adopting draft-… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adoptingdra… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adopting dr… Yaron Sheffer
- [IPsec] load-sharing and draft-mglt-ipsecme-clone… Michael Richardson
- Re: [IPsec] Survey for WG interest in adopting dr… Daniel Migault
- Re: [IPsec] Survey for WG interest in adoptingdra… Daniel Migault