On 29.9.2014, at 14.57, Tero Kivinen <[email protected]> wrote: > Markus Stenberg writes: >> >>> If homenet needs multicast support then it might be good idea to push >>> that document forward. >> How does this solution work with e.g. link-local-only >> littleconf-TOFU setup? > > I have no idea what littleconf-TOFU setup looks like, so cannot > comment..
Guess I’ll come over and discuss this at some point (not sure how much you have followed the 100+ message thread here). >> To be more precise, I am not sure which node would be GCKS, and how >> other nodes would find that node. Based on cursory read of the >> draft, it seems to assume that non-GCKS nodes know GCKS address in >> advance. > As the G-IKEv2 uses IKE_SA_INIT from the IKEv2 for the first exchange, > the RFC5685 IKEv2 redirect with anycast address (see section 4 of > RFC5685) would work with it just fine. > > I.e. the new device wanting to know the GCKS to talk to would send > anycast IKEv2 packet to the network: > > > Initiator Responder (any VPN GW) > --------- ------------------------- > > (IP_I:500 -> ANYCAST:500) > HDR(A,0), SAi1, KEi, Ni) --> > N(REDIRECT_SUPPORTED) > > (ANYCAST:500 -> IP_I:500) > <-- HDR(A,0), N(REDIRECT, New_GW_ID, Ni_data) > > (with G-IKEv2 the port number would be the normal G-IKEv2 port, i.e. > 848, not 500). > > I.e. now the router listening this link can reply to the anycast > request, with the proper gateway address (which might be his own, if > he is the one acting as GCKS). > > The anycast support for redirect was meant to be used for > bootstrapping cases, i.e. where the client does not know yet who to > talk to. Hmmh. In G-IKEv2 case, I am not sure if it is this simple. Because ultimately you want there to be only one GCKS (per link), but at boot time, there is lots of raciness about who comes up first, and decides they are one. i.e. router 1 boots up -> anycast (no reply) ~at same time router 2 boots up -> anycast (no reply) both think they can be the GCKS. I suppose one could define some robust mechanics to make sure that ultimately you have only one and/or share state between them so that it does not matter? Cheers, -Markus _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
