IPsec FAilover and REdundancy (ifare) Bar-BOF Web

The Internet Key Exchange version 2 (IKEv2) protocol has computational and communication overhead with respect to the number of round-trips required and cryptographic operations involved. In remote access situations, the Extensible Authentication Protocol is used for authentication, which adds additional roundtrips and therefore latency.

To re-establish security associations (SA) upon a failure recovery condition is time consuming, especially when an IPsec peer, such as a VPN gateway, needs to re-establish a large number of SAs with various end points. A high number of concurrent sessions might cause additional problems for an IPsec peer during SA re-establishment.

In many failure cases it would be useful to provide an efficient way to resume an interrupted IKE/IPsec session. This document proposes an extension to IKEv2 that allows a client to re-establish an IKE SA with a gateway in a highly efficient manner, utilizing a previously established IKE SA.

A client can reconnect to a gateway from which it was disconnected, or alternatively migrate to another gateway that is associated with the previous one.

Available Information

• IPsec Gateway Failover and Redundancy - Problem Statement and Goals
• IPsec Gateway Failover Protocol

Logistics

• Tuesday, 4th December 2007, 8pm
• We are going to meet in front of the IETF Registration Desk
• The meeting will be in the NOMCOM room (President room)

IFare Web Utilities