> -----Original Message----- > From: Valery Smyslov [mailto:sva...@gmail.com] > > 1. Develop load sharing cluster solution for IKEv2/IPsec. The possible > > charter > > text: > > > > MOBIKE protocol [RFC4555] is used to move existing IKE/IPsec SA from > > one IP address to another. However, in MOBIKE it is the initiator of > > the IKE SA (i.e. remote access client) that controls this process. If > > there are several responders each having own IP address and acting > > together as a load sharing cluster, then it is desirable for them to > > have ability to request initiator to switch to a particular member. > > The working group will analyze the possibility to extend MOBIKE > > protocol or to develop new IKE extension that will allow to build load > > sharing clusters in an interoperable way. > > [HJ] why RFC 5685 (Redirect Mechanism for the Internet Key Exchange > Protocol Version 2 (IKEv2)) can't be used for this purpose? > > The problem with IKE Redirect is that it requires IKE SA to be re-established > from scratch. > It consumes quite a lot of resources and takes noticeable amount of time. > Moreover, in some cases it could require human interaction (in case of some > EAP methods or if access to client's credentials requires entering PIN), so it > may be inappropriate. > The idea is to have a solution that utilizes already established IKE SA and > moves it (along with its Child SAs) from one cluster member to another > without creating new IKE SA.
[HJ] two questions: 1. this sound interesting, however how to do it securely is the most important question, do you already have draft? 2. if the use case is load-balance, then wouldn't it be better off to make a selection right upon client connects (e.g. redirect during IKE_AUTH) than move SA around after tunnel is established ? _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec