Hi, We have published a new version of the IKEv2 Redirect and Authentication Offload draft (draft-padmakumar-ikev2-redirect-and-auth-offload-01).
The draft may be accessed at: http://www.ietf.org/internet-drafts/draft-padmakumar-ikev2-redirect-and-auth-offload-01.txt Abstract: IKEv2 supports multiple authentication mechanisms like public key signatures, shared secrets and EAP. EAP based authentication requires server to maintain information about the client until EAP completes. Public key based authentication mechanisms are highly computational intensive and demands server CPU resources. Redirect Mechanism for IKEv2 proposes a mechanism for IKEv2 that enables a VPN gateway to redirect the VPN client to another VPN gateway, for example, based on the load condition. Redirect mechanism can also be used to redirect a client to another router (trust anchor) to do mutual authentication on behalf of the server. This redirection happens during the IKE_SA_INIT and server does not maintain any information about the redirected client. After mutual authentication Trust anchor can redirect the client back to the server with an Access Token which can be used as a dynamic pre- shared key between the server and client for password based IKE_AUTH exchange. Mechanism described here allows servers to compute the same pre-shared key dynamically, without contacting trust anchors, based on the information provided by the client during IKE_AUTH exchange. Such a mechanism is useful especially for low power devices like handsets. For example, a mobile node can redirect such authentications to its home agent. This proposal explains a mechanism to offload such verifications to a set of less critical routers or to a service provider who offers trust as a service. We would appreciate your comments. Thanks, Pratima, Manik, Padmakumar ---------- Forwarded message ---------- From: <internet-dra...@ietf.org> Date: Mon, Jul 27, 2009 at 6:30 PM Subject: I-D Action:draft-padmakumar-ikev2-redirect-and-auth-offload-01.txt To: i-d-annou...@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : IKEv2 Redirect and Authentication Offload Author(s) : A. Padmakumar, et al. Filename : draft-padmakumar-ikev2-redirect-and-auth-offload-01.txt Pages : 17 Date : 2009-07-27 IKEv2 supports multiple authentication mechanisms like public key signatures, shared secrets and EAP. EAP based authentication requires server to maintain information about the client until EAP completes. Public key based authentication mechanisms are highly computational intensive and demands server CPU resources. Redirect Mechanism for IKEv2 proposes a mechanism for IKEv2 that enables a VPN gateway to redirect the VPN client to another VPN gateway, for example, based on the load condition. Redirect mechanism can also be used to redirect a client to another router (trust anchor) to do mutual authentication on behalf of the server. This redirection happens during the IKE_SA_INIT and server does not maintain any information about the redirected client. After mutual authentication Trust anchor can redirect the client back to the server with an Access Token which can be used as a dynamic pre- shared key between the server and client for password based IKE_AUTH exchange. Mechanism described here allows servers to compute the same pre-shared key dynamically, without contacting trust anchors, based on the information provided by the client during IKE_AUTH exchange. Such a mechanism is useful especially for low power devices like handsets. For example, a mobile node can redirect such authentications to its home agent. This proposal explains a mechanism to offload such verifications to a set of less critical routers or to a service provider who offers trust as a service. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-padmakumar-ikev2-redirect-and-auth-offload-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. _______________________________________________ I-D-Announce mailing list i-d-annou...@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft<https://www.ietf.org/mailman/listinfo/i-d-announce%0AInternet-Draft>directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
