Hi, A few years ago, we worked on fail-over, load balancing.. [1] and would be happy to help.
Yours, Daniel [1] https://tools.ietf.org/html/draft-plmrs-ipsecme-ipsec-ikev2-context-definition-01 On Sun, Oct 29, 2017 at 2:55 AM, Valery Smyslov <[email protected]> wrote: > Hi, > > The problem with IKE Redirect is that it requires IKE SA to be >>> re-established >>> from scratch. >>> It consumes quite a lot of resources and takes noticeable amount of time. >>> Moreover, in some cases it could require human interaction (in case of >>> some >>> EAP methods or if access to client's credentials requires entering PIN), >>> so it >>> may be inappropriate. >>> The idea is to have a solution that utilizes already established IKE SA >>> and >>> moves it (along with its Child SAs) from one cluster member to another >>> without creating new IKE SA. >>> >> >> [HJ] two questions: >> 1. this sound interesting, however how to do it securely is the most >> important question, do you already have draft? >> > > draft-smyslov-ipsecme-ikev2-r-mobike > > 2. if the use case is load-balance, then wouldn't it be better off to >> make a selection right upon client connects (e.g. redirect during IKE_AUTH) >> than move SA around after tunnel is established ? >> > > This is definitely an option (ant even can be achieved with IKE redirect). > However, once client is connected you cannot move it to another member, > so depending on clients' activity members load can become very uneven and > you cannot balance it without forcing clients to reconnet. The desire is > to be able to dynamically balance members load. > > Regards, > Valery. > > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec >
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
