[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Comments on -02 PS..

To: ietf-ipsec-failover@xxxxxxxx
Subject: Comments on -02 PS..
From: Markus Stenberg <mstenber@xxxxxxxxx>
Date: Wed, 6 Jun 2007 13:43:50 +0900
Authentication-results: sj-dkim-2; header.From=mstenber@xxxxxxxxx; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2552; t=1181105040; x=1181969040; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mstenber@xxxxxxxxx; z=From:=20Markus=20Stenberg=20<mstenber@xxxxxxxxx> |Subject:=20Comments=20on=20-02=20PS.. |Sender:=20; bh=ItgzbJCFJMDGf8FBzZQdYlGsMZbeUyDXfBlnSfOq1wg=; b=u3nhvzraWS7g6XXeq7Jkr+FSpfXsrnZuYKmTpPlyGWT8lk8eSG+aMSL7SCmo9UQgBvu9NWR8 BesKFTFuwjSDRW45BRuodLNL8MlPLPxIYHBH4Xk3isefLXG13BykJkoN;
List-archive: <http://www.vpnc.org/ietf-ipsec-failover/mail-archive/>
List-id: <ietf-ipsec-failover.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsec-failover-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsec-failover@xxxxxxxxxxxxx

Disclaimer: I have been interested on and off about this topic sincethe start, but missed the BoF due to $DAYJOB forcing me to go toanother WG. I also use term 'server' here for the SGW/end host thatthe client connects to. I will probably miss the Chicago BOF if ithappens too, again due to $DAYJOB.

I think the PS has gone long ways in becoming concise and to thepoint; the initial versions were less specific about theapplications, and how the solution was actually meant to work.

Currently, the problem stmt basically provides a way of getting ridof most of the client/server computing load on switchover, and thecost of HA server state synchronization cost at the expense of somemore complexity to the IPsec suite / some storage on the client.


Looking at the pros/cons:

Client

+ faster switchover (mobility, HA) due to less roundtrips (this ismost likely big concern in mobility case)

+ less computing on switchover (also nice for mobility)

- storage of the authorization blob; should be fairly small, althoughif vendor-specific extensions were allowed to payload in general, itmight grow.. just IKEv2 _protocol_ state isn't that big

- code complexity grows

Server
+ less load on non-check-pointed switchovers
+ less state storage needed overall (due to no need to replicate state)
+ less complex code in general if HA can be skipped

- however, if support for normal clients is also desired to work'well', you lose the above benefit and the one above that is also bitquestionable (certainly, across-site less state, but who'd designsuch a solution in the first place?)

- extra code

Looking at the arguments, if you control client/server, and doanything with MIP, you'd definitely want this solution - you couldskip most of the normal IPsec-related HA code on the server side, getmore scalable failovers, and get nice, fast switchovers for themobile nodes given some assumptions on how the HA is handled)

For normal VPN user case (is it still the traditional assumption?), Isee only marginal benefits due to lack of guarantee of both endssupporting it - server needs to be designed for non-supporting case,and client gets some benefits with the rare server crashes, at costof significant chunk of extra code.

Overall? Seems worth doing to me, although I'm curious to hearingsome sort of 'show of hands' about people really planning onimplementing this, but guess that's what BoFs are for :-)


Cheers,

-Markus

Follow-Ups:
- RE: Comments on -02 PS..
  - From: Narayanan, Vidya

Prev by Date: Re: IFARE open issues and next steps
Next by Date: RE: Comments on -02 PS..
Previous by thread: IFARE open issues and next steps
Next by thread: RE: Comments on -02 PS..
Index(es):
- Date
- Thread