IKEv2/IPsec SA counter synchronization
draft-kagarigi-ipsecme-ikev2-windowsync-04
Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
---|---|---|---|
Author | Kalyani Garigipati | ||
Last updated | 2010-07-29 | ||
RFC stream | (None) | ||
Intended RFC status | (None) | ||
Formats | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
IKEv2 and IPsec protocols are widely used for deploying VPN. In order to make such VPN highly available and failure-prone, these VPNs are implemented as IKEv2/IPsec Highly Available (HA) cluster. But there are many issues in IKEv2/IPsec HA cluster. The draft "IPsec Cluster Problem Statement" enumerates all the issues encountered in IKEv2/IPsec HA cluster environment. This draft proposes an extension to IKEv2 protocol to solve main issues of "IPsec Cluster Problem Statement" in Hot Standby cluster and gives implementation advice for others. The main issues to be solved are: o IKE Message Id synchronization : This is done by obtaining the message Id values from the peer and updating the values at the newly active cluster member after the failover. o IPsec SA Counter synchronization : This is done by sending incremented the values of replay counters by the newly active cluster member to the peer as expected replay counter value.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)