Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa
Paul Wouters 🔓 <paul@nohats.ca> Thu, 27 November 2014 16:22 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05AE51A00F5 for <ipsec@ietfa.amsl.com>; Thu, 27 Nov 2014 08:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.71
X-Spam-Level:
X-Spam-Status: No, score=-1.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nJa2iSBpnWfD for <ipsec@ietfa.amsl.com>; Thu, 27 Nov 2014 08:22:14 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A83C1A00DE for <ipsec@ietf.org>; Thu, 27 Nov 2014 08:22:14 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id EA43F817C1; Thu, 27 Nov 2014 11:22:12 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1417105332; bh=hrwvSQSgQf1WiRgxey2B75DMGJF9EP1Z9PZEul2ymKM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=MrSl/u4NaLxgFp3eV6JJh5KZw5LEjzjCcSa/EYpsdLJbMDllPhqxYbYQeoN4qg8Pe NyCwYSP8PUb9FojFrIUp39k7XFgE3APjlU6VbI1XvrroLPhpmm9fTneZ98xM79Q+SM 6zxGEGP8SysrV0vT+yunN15KpBMteTkmhmY789RA=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id sARGMB8b009237; Thu, 27 Nov 2014 11:22:12 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Thu, 27 Nov 2014 11:22:11 -0500
From: Paul Wouters 🔓 <paul@nohats.ca>
To: Valery Smyslov <svanru@gmail.com>
In-Reply-To: <A8C8555BA51C4BDEBE348A4A6ABF33ED@buildpc>
Message-ID: <alpine.LFD.2.10.1411271114320.7507@bofh.nohats.ca>
References: <FC0E9543-B2FE-48FE-8CBD-D3BDF2AA2B96@vpnc.org> <A8C8555BA51C4BDEBE348A4A6ABF33ED@buildpc>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/rIpecJA0i6ATKBq7oD_lJmyZ0ak
Cc: IPsecME WG <ipsec@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Survey for WG interest in adoptingdraft-mglt-ipsecme-clone-ike-sa
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 16:22:17 -0000
On Thu, 27 Nov 2014, Valery Smyslov wrote: > I think that the mechanism it describes is useful and could be used > as a building block for several solutions. For example, > it can be used in load-sharing scenario when there are > some gateways with different IP addresses, that share > the same credentials. If client established IKE SA with > any of them then the SA could be cloned and transfered > to other nodes of this cluster without reauthentication, > and the traffic from client then could be balanced > among those gateways. That would run into replay protection problems, just like if you copy all kernel IPsec state between machines. And I believe load sharing when properly done should be invisible to client side and not need special support. >> Greetings again. The "Clone IKE SA" proposal tries to optimize IKE SA setup >> in cases where VPN gateways have multiple interfaces and want to establish >> different SAs on the different interfaces without having to repeat the IKE >> authentication. Instead, they could clone a single IKE SA multiple times, >> and then move it to different interfaces using MOBIKE. >> >> If you agree with the need to standardize this usage, and believe that >> draft-mglt-ipsecme-clone-ike-sa is likely to be a good starting place for >> that standardization, and are willing to review and contribute text to the >> document if it is adopted by the WG, please say so on the list. I am interested in the problem, but have bad feelings about throwing around IKE states from two peers to another peer, which this mechanism seems to leave open. For instance, I would much rather see some informational exchange method or create child sa method using the existing IKE SA for conveying this information and somehow creatie the additional new Child SA. Throwing around private keys or computed shared secrets to multiple peers worry me. Paul
- [IPsec] Survey for WG interest in adopting draft-… Paul Hoffman
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Yaron Sheffer
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- Re: [IPsec] Survey for WG interest in adoptingdra… Paul Wouters 🔓
- Re: [IPsec] Survey for WG interest in adoptingdra… Valery Smyslov
- [IPsec] Survey for WG interest in adopting draft-… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adoptingdra… Tero Kivinen
- Re: [IPsec] Survey for WG interest in adopting dr… Yaron Sheffer
- [IPsec] load-sharing and draft-mglt-ipsecme-clone… Michael Richardson
- Re: [IPsec] Survey for WG interest in adopting dr… Daniel Migault
- Re: [IPsec] Survey for WG interest in adoptingdra… Daniel Migault