Hi, I have some comments regarding the draft.
First, I'm a bit puzzled by intended status of the draft: Standards Track. >From my understanding this means, that the document defines some protocol, that needs to be standardized to get interoperability. But the draft defines no protocol, it just speculates on what contents of IKE/IPsec SA must contain. While no doubt it is helpful, I think that the proper intended status for the draft is Informational. Then, I've been always thinking that the content of the IKE/IPsec SA is an implementation issue. The draft tries to mandate this content, but it lacks plenty of absolutely needed information (this is especially true for IKE SA), like MID counters, window bitmaps, lifetimes, credential information, VIDs, features, statistics and so on. On the other hand, the draft tries to mandate one way of presenting some data, ignoring the fact that it is not the only (and probably not the best) way. For example, instead of transferring nonces and DH secret to the other node one may transfer computed SK_* keys. This approach may have some advantages both from security and performance perspectives. Regards, Valery Smyslov. ----- Original Message ----- From: Daniel Palomares To: [email protected] Sent: Thursday, February 13, 2014 6:09 PM Subject: [IPsec] Draft: IKEv2/IPsec Context Definition Hi, Please find a draft we have Posted. They concern the definition of IKEv2 and IPsec contexts. Comments are welcome, BR, Daniel Palomares Name: draft-plmrs-ipsecme-ipsec-ikev2-context-definition. Revision: 00 Title: IKEv2/IPsec Context Definition Document date: 2014-02-12 Group: Individual Submission Pages: 8 URL:http://www.ietf.org/id/draft-plmrs-ipsecme-ipsec-ikev2-context-definition-00.txt Status:https://datatracker.ietf.org/doc/draft-plmrs-ipsecme-ipsec-ikev2-context-definition/ Htmlized: http://tools.ietf.org/html/draft-plmrs-ipsecme-ipsec-ikev2-context-definition-00 Abstract IPsec/IKEv2 clusters are constituted of multiple nodes accessed via a single address by the end user. The traffic is then split between the nodes via specific IP load balancing policies. Once a session is assigned to a given node, IPsec makes it difficult to assign the session to another node. This makes management operations and transparent high availability for end users difficult to perform within the cluster. This document describes the contexts for IKEv2 and IPsec that MUST be transferred between two nodes so a session can be restored. This makes possible to transfer an IPsec session transparently to the end user. Daniel PALOMARES Orange Labs, Issy-les-Moulineaux +33 6 34 23 07 88 ------------------------------------------------------------------------------ _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
