Hi,
> This is items we did not manage to reach full consensus in the IETF
> 100 meeting. There were concerns and questions why this is needed and
> why it cannot be done with already existing methods (mostly redirect
> etc, or updating the address lists).
>
> The proposed charter text is
>
> ----------------------------------------------------------------------
>
> MOBIKE protocol [RFC4555] is used to move existing IKE/IPsec SA from
> one IP address to another. However, in MOBIKE it is the initiator of
> the IKE SA (i.e. remote access client) that controls this process. If
> there are several responders each having own IP address and acting
> together as a load sharing cluster, then it is desirable for them to
> have ability to request initiator to switch to a particular member.
> The working group will analyze the possibility to extend MOBIKE
> protocol or to develop new IKE extension that will allow to build load
> sharing clusters in an interoperable way.
>
> ----------------------------------------------------------------------
>
> It could be also possible that we first start just researching whether
> we actually need any protocol changes, and if so make specifications
> for them, and if not, we might still want to publish some kind of
> informational document describing how those existing mechanisms can be
> used for this purpose.
>
> Send your comments and whether you support adding this to the charter
> to the ipsec list in next two weeks.
I obviously support this item.
The whole idea is that currently there is no interoperable way of building
load-sharing IPsec clusters. To effectively balance their load the nodes
of such cluster must be able to dynamically move clients from one node
to another on node's discretion. So, in IKE terms, it is responder who
must decide what another responder the initiator should continue
to communicate with.
What do we have now:
1. IKE redirect. It's the most obvious choice. However, IKE redirect
requires that the client creates IKE SA with the node it is redirected to
from scratch with full authentication. This is:
1) inefficient from resource consumption point of view
2) causes delays
3) most important - it may require user interaction (EAP authentication,
or entering PIN to access user keys) that is completely unexpected
to the user
2. IKE Redirect + IKE Resumption. Currently it is assumed that the client
resumes to the same server it received the resumption ticket from,
so some additional tweaking of IKE resumption is needed.
This approach is more efficient than 1, however IPsec SAs still need to
be recreated.
3. MOBIKE. In current MOBIKE only initial initiator can initiate change of IP
addresses.
If this problem is solved, then this is the best choice for load sharing
clusters.
I think that the problem is important and the WG should address it.
I agree that some research would be useful.
Regards,
Valery.
> --
> [email protected]
>
> _______________________________________________
> IPsec mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
