Of possible interest to people here.
Responses to this should go to [email protected], not to the IPsecME WG
mailing list.
Forwarded message:
From: The IESG <[email protected]>
To: IETF-Announce <[email protected]>
Subject: Last Call: <draft-mglt-ipsecme-clone-ike-sa-05.txt> (Cloning
IKE SA in the Internet Key Exchange Protocol Version 2 (IKEv2)) to
Proposed Standard
Date: Tue, 29 Sep 2015 14:46:46 -0700
The IESG has received a request from an individual submitter to
consider
the following document:
- 'Cloning IKE SA in the Internet Key Exchange Protocol Version 2
(IKEv2)'
<draft-mglt-ipsecme-clone-ike-sa-05.txt> as Proposed Standard
The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
[email protected] mailing lists by 2015-10-27. Exceptionally, comments may
be
sent to [email protected] instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.
Abstract
This document considers a VPN End User establishing an IPsec SA with
a Security Gateway using the Internet Key Exchange Protocol Version 2
(IKEv2), where at least one of the peers has multiple interfaces or
where Security Gateway is a cluster with each node having its own IP
address.
With the current IKEv2 protocol, the outer IP addresses of the IPsec
SA are determined by those used by IKE SA. As a result using
multiple interfaces requires to set up an IKE SA on each interface,
or on each path if both the VPN Client and the Security Gateway have
multiple interfaces. Setting each IKE SA involves authentications
which might require multiple round trips as well as activity from the
VPN End User and thus would delay the VPN establishment. In addition
multiple authentications unnecessarily increase the load on the VPN
client and the authentication infrastructure.
This document presents the solution that allows to clone IKEv2 SA,
where an additional SA is derived from an existing one. The newly
created IKE SA is set without the IKEv2 authentication exchange.
This IKE SA can later be assigned to another interface or moved to
another cluster mode using MOBIKE protocol.
The file can be obtained via
https://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/
IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-mglt-ipsecme-clone-ike-sa/ballot/
No IPR declarations have been submitted directly on this I-D.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
