[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Anycast
> Has there been any discussion regarding support of Anycast with IPSec and
> ISAKMP?
Historically, no.
> Due to the address change which occurs on response packets, conducting SA
> negotiations for a remote Anycast address creates some unique problems for
> ISAKMP and the SA/policy database. Is the general practice in IPSec
> implementations just to leave out support for Anycast?
Anycast kinda/sorta starts its life out not unlike multicast, which we
already know is a Hard Problem (TM).
> Please post any pointers or thoughts on this.
Assuming my understanding of anycast is still up to snuff (it may not be),
and that you've solve multicast key distribution, what you can have happen is
this:
0.) Anycast keys are distributed, a node sends to the anycast
address using that IPsec SA.
1.) The node that handles the anycast traffic accepts the packet, and
turns around a response. This response is to a unicast address,
and if you use source address as a selector, it comes from a
"different" source address. This should kick off an IKE
negotiation.
2.) The remaining traffic is protected with a pair of unicast SAs
that were negotiatied by the anycast handler and the original
node.
The way I see it, decoupling the ISKAMP "initiator" from the traffic
"initiator" will help here.
Like I said, I'm assuming my anycast understanding is complete, which it
might not be. Also like I said, getting the anycast keys out reduces to the
problem of getting multicast keys out, which is very HARD.
Dan
Follow-Ups:
- Re: Anycast
- From: "Hilarie K. Orman" <ho@earth.hpc.org>
- Re: Anycast
- From: "Carl F. Muckenhirn" <cfm@columbia.sparta.com>
References:
- Anycast
- From: "John Irish" <irishjd@erols.com>