[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] a new draft
Dear Brian,
Thank you for your reply and suggestions.
In this draft we don't touch the details of the SA creation because
we think it should be addressed in a separate document if necessary.
There are several possible ways to do that,
such as a new IKE or a SA-distribution protocol among senders.
We leave the details of multiple sender SA set up to other proposals.
We cite draft-ietf-ipsec-rfc2401bis-02.txt in the
references. But actually we are considering a different
scenario from the multicast. In Mobile IPv6, multiple
Home Agent (HA) are deployed to achieve the fault-tolerance,
robustness, and load balancing. According to the routing infrastructure
the packets from the correspondence node (CN) will arrive at the
"closest" HA when communicating with mobile node (MN). It is possible
to use an inter-HA protocol to share the SA information when IKE set up
and renew the IPSec SA between MN and a primary HA; but there is too
much overhead to keep the sequence number synchronized among HAs or the
lifetime of SA is inefficient. (Below is a figure.) I hope it
helps clarify. Thanks for your time.
regards,
fan
+------+
| CN1 |-------------------------------|
+------+ |
|
+------+ |
| CN2 |----------| |
+------+ +------|--------------------|-------+
| +------+ +------+ |
| | HA 2 |============| HA 3 | |
| +------+ +------+ |
| + = = + |
| + = = + |
| + = +------+ = + |
| + =| HA 1 |= + |
| + +---+--+ + |
+-----------+-----+----+------------+
+ + +
+++ Bidirectional + + +
+++ IPsec tunnel +------+--+-+------+
| +------+ |
=== Secure Inter | | MN | |
HA protocol | +------+ |
+------------------+
> Hi,
>
> You mention IKE a few times in the I-D, but IKE cannot be used to
> provide group keys to devices. The MSEC working group has specifications
> for group key management methods, including RFC 3547.
>
> Also, you reference RFC 2401. You should be aware of
> draft-ietf-ipsec-rfc2401bis-02.txt, which has some additional
> clarification on using IPsec for multicast traffic.
>
> I suggest you send an email to msec@multicast.org asking for comments on
> your multiple sender SA draft.
>
> Brian
>
> Souhwan Jung wrote:
>
> > Dear all,
> > I apologize if you got this meessage twice.
> > We have submitted a draft related to multiple senders that shares a SA.
> > The main focus is to solve the problem of sequence number problem.
> > Any comments on the draft will be appreciated.
> > http://www.ietf.org/internet-drafts/draft-zhao-ipsec-multi-sender-sa-
00.txt
> > Thanks.
> > Souhwan
> > ============================================================
> > Souhwan Jung
> > Associate Professor email:souhwanj@ssu.ac.kr
> > School of Electronic Engineering phone: +82-2-820-0714
> > Soongsil University fax: +82-2-821-7653
> > 1-1 Sangdo-dong, Dongjak-ku,
> > Seoul 156-743
> > ============================================================
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Ipsec mailing list
> >Ipsec@ietf.org
> >https://www1.ietf.org/mailman/listinfo/ipsec
> >
> >
>
>
> --
> Brian Weis
> Advanced Security Development, ITD, Cisco Systems
> Telephone: +1 408 526 4796
> Email: bew@cisco.com
>
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
>
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec