[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IKEv2 and multiple tunnels. (Was: QoS and IKEv2)



Hi again,

> So I'd propose one more field in the traffic
> selector for "uniquifier". Alice can create

I like this "uniquifier" idea. Indeed there may be more reasons for creating
apparently redundant IPsec SAs to avoid problems caused by the IPsec replay
counter.

For instance if one of the peers is a cluster of machines performing load
sharing. It may want to establish multiple IPsec SAs with the peer, one for
each machine belonging to the cluster. Each 'cluster member' will have its
own SA which it can use for outbound traffic. This way the IPsec replay
counter does not have to be synchronized between the cluster members. To the
non-cluster peer however, these SAs may seem redundant as they share the
exact same traffic selectors (The cluster has a single external IP address
and the cluster members are not exposed).

In this scenario the "uniquifier" will help, since it will indicate that
these tunnels are not redundant - they are used by the peer for some
(unknown) purpose.

Jesse

-----Original Message-----
From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Radia Perlman -
Boston Center for Networking
Sent: Monday, March 10, 2003 6:32 AM
To: ipsec@lists.tislabs.com
Subject: RE: QoS and IKEv2



"Jesse Alpert" <jalpert@checkpoint.com> wrote:

>Again, it seems to me it might be easier to explicitly include this (PHB)
>information in the TS payload. This requires modifications to the IKEv2
>draft.
>
>Thanks again,
>Jesse
>
>

Thank you for noticing that, Jesse. The problem (to summarize
without diffserv acronyms) is that IKEv2 says that two
child-SAs with the same traffic selectors are redundant,
and extra ones should be closed. But it also says that
you might want several between the same endpoints with
the same traffic selectors for different QOS.

I'd propose that there should be some way to create
multiple SAs with the same traffic selectors, and
that it's not necessary to negotiate what QOS things
go over which ones. It's up to the sender to
decide that. And there might in the future be
other reasons to create multiple SAs and
we wouldn't be able to tell the difference
based solely on the fields in the traffic
selector (protocol type, address, and port).

So I'd propose one more field in the traffic
selector for "uniquifier". Alice can create
multiple child-SAs to Bob with the same
traffic selectors, as long as they have different
uniquifiers.

The only function of the uniquifier is so that
the multiple SAs won't look redundant to Bob.
Which traffic gets sent over which SA is up
to the sender.

Radia