draft-ietf-ipsecme-ipsec-ha-07.txt   draft-ietf-ipsecme-ipsec-ha-08.txt 
Network Working Group Y. Nir Network Working Group Y. Nir
Internet-Draft Check Point Internet-Draft Check Point
Intended status: Informational June 24, 2010 Intended status: Informational June 28, 2010
Expires: December 26, 2010 Expires: December 30, 2010
IPsec Cluster Problem Statement IPsec Cluster Problem Statement
draft-ietf-ipsecme-ipsec-ha-07 draft-ietf-ipsecme-ipsec-ha-08
Abstract Abstract
This document defines terminology, problem statement and requirements This document defines terminology, problem statement and requirements
for implementing IKE and IPsec on clusters. It also describes gaps for implementing IKE and IPsec on clusters. It also describes gaps
in existing standards and their implementation that need to be in existing standards and their implementation that need to be
filled, in order to allow peers to interoperate with clusters from filled, in order to allow peers to interoperate with clusters from
different vendors. An agreed terminology, problem statement and different vendors. An agreed terminology, problem statement and
requirements will allow the IPSECME WG to consider development of requirements will allow the IPSECME WG to consider development of
IPsec/IKEv2 mechanisms to simplify cluster implementations. IPsec/IKEv2 mechanisms to simplify cluster implementations.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 26, 2010. This Internet-Draft will expire on December 30, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
3.6. Missing Synch Messages . . . . . . . . . . . . . . . . . . 8 3.6. Missing Synch Messages . . . . . . . . . . . . . . . . . . 8
3.7. Simultaneous use of IKE and IPsec SAs by Different 3.7. Simultaneous use of IKE and IPsec SAs by Different
Members . . . . . . . . . . . . . . . . . . . . . . . . . 8 Members . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.7.1. Outbound SAs using counter modes . . . . . . . . . . . 9 3.7.1. Outbound SAs using counter modes . . . . . . . . . . . 9
3.8. Different IP addresses for IKE and IPsec . . . . . . . . . 9 3.8. Different IP addresses for IKE and IPsec . . . . . . . . . 9
3.9. Allocation of SPIs . . . . . . . . . . . . . . . . . . . . 10 3.9. Allocation of SPIs . . . . . . . . . . . . . . . . . . . . 10
4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8. Informative References . . . . . . . . . . . . . . . . . . . . 11 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1. Normative References . . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
IKEv2, as described in [RFC4306] and [IKEv2bis], and IPsec, as IKEv2, as described in [RFC4306] and [IKEv2bis], and IPsec, as
described in [RFC4301] and others, allows deployment of VPNs between described in [RFC4301] and others, allows deployment of VPNs between
different sites as well as from VPN clients to protected networks. different sites as well as from VPN clients to protected networks.
As VPNs become increasingly important to the organizations deploying As VPNs become increasingly important to the organizations deploying
them, there is a demand to make IPsec solutions more scalable and them, there is a demand to make IPsec solutions more scalable and
skipping to change at page 11, line 30 skipping to change at page 11, line 30
Version 03 fixes some ID-nits, and adds the problem presented by Version 03 fixes some ID-nits, and adds the problem presented by
Jitender Arora in [ARORA]. Jitender Arora in [ARORA].
Version 04 fixes a spelling mistake, moves the scope discussion to a Version 04 fixes a spelling mistake, moves the scope discussion to a
subsection of its own (Section 3.1), and adds a short discussion of subsection of its own (Section 3.1), and adds a short discussion of
the duplicate SPI problem, presented by Jean-Michel Combes. the duplicate SPI problem, presented by Jean-Michel Combes.
Versions 05, 06 and 07 just corrected nits and notation Versions 05, 06 and 07 just corrected nits and notation
8. Informative References 8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
8.2. Informative References
[ARORA] Arora, J. and P. Kumar, "Alternate Tunnel Addresses for [ARORA] Arora, J. and P. Kumar, "Alternate Tunnel Addresses for
IKEv2", draft-arora-ipsecme-ikev2-alt-tunnel-addresses IKEv2", draft-arora-ipsecme-ikev2-alt-tunnel-addresses
(work in progress), April 2010. (work in progress), April 2010.
[COUNTER_MODES] [COUNTER_MODES]
McGrew, D. and B. Weis, "Using Counter Modes with McGrew, D. and B. Weis, "Using Counter Modes with
Encapsulating Security Payload (ESP) and Authentication Encapsulating Security Payload (ESP) and Authentication
Header (AH) to Protect Group Traffic", Header (AH) to Protect Group Traffic",
draft-ietf-msec-ipsec-group-counter-modes (work in draft-ietf-msec-ipsec-group-counter-modes (work in
progress), March 2010. progress), March 2010.
[IKEv2bis] [IKEv2bis]
Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol: IKEv2", "Internet Key Exchange Protocol: IKEv2",
draft-ietf-ipsecme-ikev2bis (work in progress), May 2010. draft-ietf-ipsecme-ikev2bis (work in progress), May 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES) [RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
Counter Mode", RFC 3686, January 2009. Counter Mode", RFC 3686, January 2009.
[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode [RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
(GCM) in IPsec Encapsulating Security Payload (ESP)", (GCM) in IPsec Encapsulating Security Payload (ESP)",
RFC 4106, June 2005. RFC 4106, June 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[RFC5685] Devarapalli, V. and K. Weniger, "Redirect Mechanism for [RFC5685] Devarapalli, V. and K. Weniger, "Redirect Mechanism for
IKEv2", RFC 5685, November 2009. IKEv2", RFC 5685, November 2009.
[RFC5723] Sheffer, Y. and H. Tschofenig, "IKEv2 Session Resumption", [RFC5723] Sheffer, Y. and H. Tschofenig, "IKEv2 Session Resumption",
RFC 5723, January 2010. RFC 5723, January 2010.
[RFC5798] Nadas, S., "Virtual Router Redundancy Protocol (VRRP)", [RFC5798] Nadas, S., "Virtual Router Redundancy Protocol (VRRP)",
RFC 5798, March 2010. RFC 5798, March 2010.
Author's Address Author's Address
 End of changes. 7 change blocks. 
15 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/