[mif] Securing Multiple Interfaces with IPsec
Daniel Migault <mglt.ietf@gmail.com> Tue, 02 December 2014 12:42 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD82C1A1B3D; Tue, 2 Dec 2014 04:42:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OTXC-z6LNMpi; Tue, 2 Dec 2014 04:42:52 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9488D1A1B12; Tue, 2 Dec 2014 04:42:52 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id k14so16743247wgh.23 for <multiple recipients>; Tue, 02 Dec 2014 04:42:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=dxR6jsChQi6T/tWB1dEV71z6F88XXbKMrKeOC4lz8F8=; b=Bb71zhlV0t4dLiy+HpNhUSW80VMiSl3FqEgpzQo1ToDPyGP4upH2TVOa7Qzy0M0fqT 9Qz6gigoVDhLQYZvql9RQGEGzChcaP0jtSb/bR9XdY6jI3zgsk4EOBaMZ2Ua3XNDh34q i6E43SJ7bBncoO+SAETG7briQPe+UM4fAHGpSgqoAMyC85fddne0s5B/pcY9CjO6xadf zB71MsfWvLX2mg/Dzp19vNStZsZvQbC7e1xdeJAbS662+LHUI3qzyOH6YmW8HrHC6NRu WHDPt4c2+rW8rbF9X6cSA76BKGNlR80BvUaAjegcysYeBW4alX0kHRNO7wHrOAbdSj4q ba2A==
MIME-Version: 1.0
X-Received: by 10.180.98.100 with SMTP id eh4mr5016915wib.54.1417524171178; Tue, 02 Dec 2014 04:42:51 -0800 (PST)
Received: by 10.194.76.237 with HTTP; Tue, 2 Dec 2014 04:42:51 -0800 (PST)
Date: Tue, 02 Dec 2014 13:42:51 +0100
Message-ID: <CADZyTkktQa7awht-hgpCBV9oO6bTkh3noBh+z09UKEF_EESCTA@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: "mif@ietf.org" <mif@ietf.org>, "multipathtcp@ietf.org Mailing List" <multipathtcp@ietf.org>
Content-Type: multipart/alternative; boundary="f46d04428cd2af0a0105093b1098"
Archived-At: http://mailarchive.ietf.org/arch/msg/mif/aeUJgJSlb6FWpGv4Pb9c65bjUWg
Cc: Yaron Sheffer <yaronf.ietf@gmail.com>, Valery Smyslov <svanru@gmail.com>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: [mif] Securing Multiple Interfaces with IPsec
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif/>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 12:42:58 -0000
Hi,
We would like to inform you that the ipsecme WG has started an survey of
interest <http://www.ietf.org/mail-archive/web/ipsec/current/msg09442.html>
[1] for the draft-mglt-ipsecme-clone-ike-sa
<https://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/> [2].
This draft details how to set IPsec Security Associations with multiple
Interfaces. If you think this topic should or should not be addressed
please respond to this mail by December 8.
If you have any question regarding the document, feel free to let us know.
BR
Daniel and Valery (authors of the draft)
*I. Area that may benefit from this optimization:*
The main scenarios we envisioned IPsec with multiple interfaces were:
- Offload from RAN to WLAN network
- Resilience
- Multiple Path TCP: I believe this is the optimal way to have IPsec
with multiple Path TCP for example.
*II. Scenarios that motivated the document*
Initial motivation for the document was to optimize setting IPsec
associations with devices that have more than one interface. Briefly
speaking, currently, setting an IPsec association with multiple interfaces
requires one authentication per interface. This introduces multiple delays,
especially when authentication requires multiple round trip. With the
optimization, we make it possible to configure it with a single
authentication. Authentication is performed on a single interface, and for
the other interfaces, IPsec authentication and settings is "replicated".
Another scenario that motivated us was load sharing between different
security gateways (each of them has its own IP addresses). In this case
client creates IKE SA with any of these security gateways and then could be
moved to another without re-authentication. Of course this assumes that
security gateways can communicate between each other and exchange IKE &
IPsec SA states.
[1] http://www.ietf.org/mail-archive/web/ipsec/current/msg09442.html
[2] https://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/
--
Daniel Migault
Orange Labs -- Security
+33 6 70 72 69 58
- [mif] Securing Multiple Interfaces with IPsec Daniel Migault