Hi Jun,
1. Develop load sharing cluster solution for IKEv2/IPsec. The possible charter
text:
MOBIKE protocol [RFC4555] is used to move existing
IKE/IPsec SA from one IP address to another. However,
in MOBIKE it is the initiator of the IKE SA (i.e. remote access client)
that controls this process. If there are several responders
each having own IP address and acting together as a load sharing
cluster,
then it is desirable for them to have ability to request initiator to
switch to
a particular member. The working group will analyze the possibility
to extend MOBIKE protocol or to develop new IKE extension
that will allow to build load sharing clusters in an interoperable way.
[HJ] why RFC 5685 (Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)) can't be used for this
purpose?
The problem with IKE Redirect is that it requires IKE SA to be re-established
from scratch.
It consumes quite a lot of resources and takes noticeable amount of time.
Moreover,
in some cases it could require human interaction (in case of some EAP methods or
if access to client's credentials requires entering PIN), so it may be
inappropriate.
The idea is to have a solution that utilizes already established IKE SA and
moves
it (along with its Child SAs) from one cluster member to another without
creating
new IKE SA.
Regards,
Valery.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
