Hi,
The problem with IKE Redirect is that it requires IKE SA to be re-established
from scratch.
It consumes quite a lot of resources and takes noticeable amount of time.
Moreover, in some cases it could require human interaction (in case of some
EAP methods or if access to client's credentials requires entering PIN), so it
may be inappropriate.
The idea is to have a solution that utilizes already established IKE SA and
moves it (along with its Child SAs) from one cluster member to another
without creating new IKE SA.
[HJ] two questions:
1. this sound interesting, however how to do it securely is the most important
question, do you already have draft?
draft-smyslov-ipsecme-ikev2-r-mobike
2. if the use case is load-balance, then wouldn't it be better off to make a selection right upon client connects
(e.g. redirect during IKE_AUTH) than move SA around after tunnel is established ?
This is definitely an option (ant even can be achieved with IKE redirect).
However, once client is connected you cannot move it to another member,
so depending on clients' activity members load can become very uneven and
you cannot balance it without forcing clients to reconnet. The desire is to
be able to dynamically balance members load.
Regards,
Valery.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
