[mif] IPsec and multiple interfaces: draft-mglt-ipsecme-keep-old-ike-sa-00.txt
Daniel Migault <mglt.ietf@gmail.com> Fri, 05 July 2013 10:26 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: mif@ietfa.amsl.com
Delivered-To: mif@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66D711E8295; Fri, 5 Jul 2013 03:26:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uKkcKZeqfWc; Fri, 5 Jul 2013 03:26:30 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6CA11E8294; Fri, 5 Jul 2013 03:26:29 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id c10so7061328wiw.17 for <multiple recipients>; Fri, 05 Jul 2013 03:26:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=7POkl84fbRJTrRlfXPc5s8Ykns0+cxJImbUpKbXjBEw=; b=LpZ/Nt6I1dV0zTN59m98qpdeXwocNSLqegcddoEJDWWfTkfHjbOE7hWpvMuNTwPSUF Q64bzauWOhOXB1w76OPcGnKwB8SSPZJafwTgpPZCGptfSn67bbKT68sEGUatdgTjFa5U NBKiEniR2Vf/M6Abzxqbm+vK4IiTmoyzCbhzWUdCqN9UrROZ8WFIZPBxYsjMwQSznMlG 2A7a8FhwGCl7lIYq5daEzPWv1mQ1WRwv2LAZw+YHks12y9vwQJNBZl7ece619ZvUgJBt G/iLowFl2+K9oLxTDb3cvqjEqbXgG39zaI/sdj/EUzOPKEqmRglT5BNVIoZl0Zkoe/ms 4VkQ==
MIME-Version: 1.0
X-Received: by 10.194.110.6 with SMTP id hw6mr5849450wjb.3.1373019988708; Fri, 05 Jul 2013 03:26:28 -0700 (PDT)
Received: by 10.194.163.134 with HTTP; Fri, 5 Jul 2013 03:26:28 -0700 (PDT)
Date: Fri, 05 Jul 2013 12:26:28 +0200
Message-ID: <CADZyTkkQsJJfjgkCuUzFELrN6JnbEKCUewh2=Gc6GUQojE7iDA@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
To: "ipsec@ietf.org" <ipsec@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bf1985eb2515704e0c120b3"
Cc: "mif@ietf.org" <mif@ietf.org>
Subject: [mif] IPsec and multiple interfaces: draft-mglt-ipsecme-keep-old-ike-sa-00.txt
X-BeenThere: mif@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiple Interface Discussion List <mif.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mif>, <mailto:mif-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mif>
List-Post: <mailto:mif@ietf.org>
List-Help: <mailto:mif-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mif>, <mailto:mif-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jul 2013 10:26:30 -0000
Hi, Please find here the new draft on multiple IPsec interfaces. From comments of IETF86, we do not create multiple VPNs on each interfaces from a single IKEv2 channel. Instead we keep a single IKEv2 channel for each VPN. To create VPNs on multiple interfaces, we first create parallel IKEv2 (and associated VPNs). These VPNS are using the same interfaces.Then the additional IKEv2 channel (and associated VPN) are moved to the proper interface using MOBIKE. We believe the changes IPsec are minors. Feel free to make comments! URL: http://www.ietf.org/internet-drafts/draft-mglt-ipsecme-keep-old-ike-sa-00.txt Best Regards, Daniel ---------- Forwarded message ---------- From: <internet-drafts@ietf.org> Date: Fri, Jul 5, 2013 at 12:15 PM Subject: New Version Notification for draft-mglt-ipsecme-keep-old-ike-sa-00. txt To: Daniel Migault <mglt.ietf@gmail.com> A new version of I-D, draft-mglt-ipsecme-keep-old-ike-sa-00.txt has been successfully submitted by Daniel Migault and posted to the IETF repository. Filename: draft-mglt-ipsecme-keep-old-ike-sa Revision: 00 Title: KEEP_OLD_IKE_SA Extension Creation date: 2013-07-05 Group: Individual Submission Number of pages: 14 URL: http://www.ietf.org/internet-drafts/draft-mglt-ipsecme-keep-old-ike-sa-00.txt Status: http://datatracker.ietf.org/doc/draft-mglt-ipsecme-keep-old-ike-sa Htmlized: http://tools.ietf.org/html/draft-mglt-ipsecme-keep-old-ike-sa-00 Abstract: This document considers a VPN Client setting a VPN with a security gateway where at least one of the peer has multiple interfaces. With the current IKEv2, the outer IP addresses of the VPN are determined by those used by IKEv2 channel. As a result using multiple interface requires to set an IKEv2 channel on each interface, and then on each paths if both the VPN Client and the security gateway have multiple interfaces. Setting multiple IKEv2 channel involves multiple authentications which MAY each require multiple round trips and delay the VPN establishment. In addition multiple authentications unnecessarily load the VPN client and the authentication infrastructure. This document presents the KEEP_OLD_IKE_SA extension, where an additional IKEv2 channel from an already authenticated IKEv2 channel. The newly created IKEv2 channel is set without the IKEv2 authentication exchange. The newly created IKEv2 channel can then be assigned to another interface using MOBIKE. The IETF Secretariat -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
- [mif] IPsec and multiple interfaces: draft-mglt-i… Daniel Migault