Diff: draft-ietf-ipsecme-ipsec-ha-07.txt - draft-ietf-ipsecme-ipsec-ha-08.txt

	draft-ietf-ipsecme-ipsec-ha-07.txt	draft-ietf-ipsecme-ipsec-ha-08.txt

	Network Working Group Y. Nir	Network Working Group Y. Nir
	Internet-Draft Check Point	Internet-Draft Check Point

	Intended status: Informational June 24, 2010	Intended status: Informational June 28, 2010
	Expires: December 26, 2010	Expires: December 30, 2010

	IPsec Cluster Problem Statement	IPsec Cluster Problem Statement

	draft-ietf-ipsecme-ipsec-ha-07	draft-ietf-ipsecme-ipsec-ha-08

	Abstract	Abstract

	This document defines terminology, problem statement and requirements	This document defines terminology, problem statement and requirements
	for implementing IKE and IPsec on clusters. It also describes gaps	for implementing IKE and IPsec on clusters. It also describes gaps
	in existing standards and their implementation that need to be	in existing standards and their implementation that need to be
	filled, in order to allow peers to interoperate with clusters from	filled, in order to allow peers to interoperate with clusters from
	different vendors. An agreed terminology, problem statement and	different vendors. An agreed terminology, problem statement and
	requirements will allow the IPSECME WG to consider development of	requirements will allow the IPSECME WG to consider development of
	IPsec/IKEv2 mechanisms to simplify cluster implementations.	IPsec/IKEv2 mechanisms to simplify cluster implementations.

	skipping to change at page 1, line 36	skipping to change at page 1, line 36
	Internet-Drafts are working documents of the Internet Engineering	Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute	Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-	working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.	Drafts is at http://datatracker.ietf.org/drafts/current/.

	Internet-Drafts are draft documents valid for a maximum of six months	Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."


	This Internet-Draft will expire on December 26, 2010.	This Internet-Draft will expire on December 30, 2010.

	Copyright Notice	Copyright Notice

	Copyright (c) 2010 IETF Trust and the persons identified as the	Copyright (c) 2010 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of	(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents

	skipping to change at page 2, line 28	skipping to change at page 2, line 28
	3.6. Missing Synch Messages . . . . . . . . . . . . . . . . . . 8	3.6. Missing Synch Messages . . . . . . . . . . . . . . . . . . 8
	3.7. Simultaneous use of IKE and IPsec SAs by Different	3.7. Simultaneous use of IKE and IPsec SAs by Different
	Members . . . . . . . . . . . . . . . . . . . . . . . . . 8	Members . . . . . . . . . . . . . . . . . . . . . . . . . 8
	3.7.1. Outbound SAs using counter modes . . . . . . . . . . . 9	3.7.1. Outbound SAs using counter modes . . . . . . . . . . . 9
	3.8. Different IP addresses for IKE and IPsec . . . . . . . . . 9	3.8. Different IP addresses for IKE and IPsec . . . . . . . . . 9
	3.9. Allocation of SPIs . . . . . . . . . . . . . . . . . . . . 10	3.9. Allocation of SPIs . . . . . . . . . . . . . . . . . . . . 10
	4. Security Considerations . . . . . . . . . . . . . . . . . . . 10	4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
	5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10	5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
	6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10	6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
	7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11	7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 11

	8. Informative References . . . . . . . . . . . . . . . . . . . . 11	8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
		8.1. Normative References . . . . . . . . . . . . . . . . . . . 11
		8.2. Informative References . . . . . . . . . . . . . . . . . . 11
	Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12	Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12

	1. Introduction	1. Introduction

	IKEv2, as described in [RFC4306] and [IKEv2bis], and IPsec, as	IKEv2, as described in [RFC4306] and [IKEv2bis], and IPsec, as
	described in [RFC4301] and others, allows deployment of VPNs between	described in [RFC4301] and others, allows deployment of VPNs between
	different sites as well as from VPN clients to protected networks.	different sites as well as from VPN clients to protected networks.

	As VPNs become increasingly important to the organizations deploying	As VPNs become increasingly important to the organizations deploying
	them, there is a demand to make IPsec solutions more scalable and	them, there is a demand to make IPsec solutions more scalable and

	skipping to change at page 11, line 30	skipping to change at page 11, line 30

	Version 03 fixes some ID-nits, and adds the problem presented by	Version 03 fixes some ID-nits, and adds the problem presented by
	Jitender Arora in [ARORA].	Jitender Arora in [ARORA].

	Version 04 fixes a spelling mistake, moves the scope discussion to a	Version 04 fixes a spelling mistake, moves the scope discussion to a
	subsection of its own (Section 3.1), and adds a short discussion of	subsection of its own (Section 3.1), and adds a short discussion of
	the duplicate SPI problem, presented by Jean-Michel Combes.	the duplicate SPI problem, presented by Jean-Michel Combes.

	Versions 05, 06 and 07 just corrected nits and notation	Versions 05, 06 and 07 just corrected nits and notation


	8. Informative References	8. References

		8.1. Normative References

		[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
		Requirement Levels", BCP 14, RFC 2119, March 1997.

		[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
		Internet Protocol", RFC 4301, December 2005.

		[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
		RFC 4306, December 2005.

		8.2. Informative References

	[ARORA] Arora, J. and P. Kumar, "Alternate Tunnel Addresses for	[ARORA] Arora, J. and P. Kumar, "Alternate Tunnel Addresses for
	IKEv2", draft-arora-ipsecme-ikev2-alt-tunnel-addresses	IKEv2", draft-arora-ipsecme-ikev2-alt-tunnel-addresses
	(work in progress), April 2010.	(work in progress), April 2010.

	[COUNTER_MODES]	[COUNTER_MODES]
	McGrew, D. and B. Weis, "Using Counter Modes with	McGrew, D. and B. Weis, "Using Counter Modes with
	Encapsulating Security Payload (ESP) and Authentication	Encapsulating Security Payload (ESP) and Authentication
	Header (AH) to Protect Group Traffic",	Header (AH) to Protect Group Traffic",
	draft-ietf-msec-ipsec-group-counter-modes (work in	draft-ietf-msec-ipsec-group-counter-modes (work in
	progress), March 2010.	progress), March 2010.

	[IKEv2bis]	[IKEv2bis]
	Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,	Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
	"Internet Key Exchange Protocol: IKEv2",	"Internet Key Exchange Protocol: IKEv2",
	draft-ietf-ipsecme-ikev2bis (work in progress), May 2010.	draft-ietf-ipsecme-ikev2bis (work in progress), May 2010.


	[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
	Requirement Levels", BCP 14, RFC 2119, March 1997.

	[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)	[RFC3686] Housley, R., "Using Advanced Encryption Standard (AES)
	Counter Mode", RFC 3686, January 2009.	Counter Mode", RFC 3686, January 2009.

	[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode	[RFC4106] Viega, J. and D. McGrew, "The Use of Galois/Counter Mode
	(GCM) in IPsec Encapsulating Security Payload (ESP)",	(GCM) in IPsec Encapsulating Security Payload (ESP)",
	RFC 4106, June 2005.	RFC 4106, June 2005.


	[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
	Internet Protocol", RFC 4301, December 2005.

	[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
	RFC 4306, December 2005.

	[RFC5685] Devarapalli, V. and K. Weniger, "Redirect Mechanism for	[RFC5685] Devarapalli, V. and K. Weniger, "Redirect Mechanism for
	IKEv2", RFC 5685, November 2009.	IKEv2", RFC 5685, November 2009.

	[RFC5723] Sheffer, Y. and H. Tschofenig, "IKEv2 Session Resumption",	[RFC5723] Sheffer, Y. and H. Tschofenig, "IKEv2 Session Resumption",
	RFC 5723, January 2010.	RFC 5723, January 2010.

	[RFC5798] Nadas, S., "Virtual Router Redundancy Protocol (VRRP)",	[RFC5798] Nadas, S., "Virtual Router Redundancy Protocol (VRRP)",
	RFC 5798, March 2010.	RFC 5798, March 2010.

	Author's Address	Author's Address

End of changes. 7 change blocks.
	15 lines changed or deleted	21 lines changed or added
This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/