Hi Pasi,
Please find replies inline. Regards, Kalyani ________________________________ From: pasi.ero...@nokia.com [mailto:pasi.ero...@nokia.com] Sent: Thursday, September 03, 2009 9:58 PM To: Kalyani Garigipati (kagarigi); ipsec@ietf.org Subject: RE: Ikev2 HA message Id Issue One obvious approach would be not to sync after every exchange (that could be a lot of messages), but sync, say, every N seconds (say, N=5) in one big batch (for all IKE_SAs that changed in the last N seconds). <Kalyani> If sync is done in batches and if active device crashes between the interval sync of the batches, then we again see the same message Id issue. If dpd is enabled then ikev2 counters keep updated frequently. Hence we cannot rule out the possibility of out of sync between stand by and active device with the above approach. Most of the time, almost all IKE_SAs are just sitting there idle (so IKEv2 message ID counters don't change). In case of failure, the stand-by device would have out-of-date information for some small percentage of IKE_SAs (those whose counters changed since last sync) , but that's always going to be the case (for exchanges where something more happened just before/during the failure). <Kalyani> With HA, we want to ensure the maximum avoidance of out of sync. In any case of out of sync , the retransmission of messages should take care of the exchanges. In the worst case the SA will have to deleted (which is the case Currently now for IKEV2 when windowing is used and some requests are lost ) I haven't done the math, though, so I don't know what value of N would result in both acceptable bandwidth and acceptable failure rate for the stand-by (depends on how many messages your typical IKE_SAs have per hour on average)... <Kalyani > we might like the solution to work in all cases of exchange frequency, hence I think we cannot fix N. Best regards, Pasi From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of ext Kalyani Garigipati (kagarigi) Sent: 03 September, 2009 16:07 To: ipsec@ietf.org Subject: [IPsec] Ikev2 HA message Id Issue Hi , In Ikev2 HA, there is an issue with the message Id and window size. Standby device-----------------------active device----------------------------------Peer device The active device participating in the exchange with the peer will update its message id counters as per the exchanges done. This info cannot be synced to the stand-by device for every exchange done since that would take up all the bandwidth and is not an efficient way. The stand-by device when it becomes active will start with the message Id as 1 and this will not be accepted by the peer, since its message Id counters are different. Hence a solution is required to sync the message Id counters to the standby device. 1. A solution for this is to get the required info from the peer device since it maintains all these counters. The abstract details of how this can be done are given in the attached document. 2. An alternative solution for this could be to send a new notify called (RESET_MESSAGE_ID) to the peer device as soon as the standby comes up. But this may lead to Reuse of message Id's within the same SA which is not desirable. I think solution 1 should be implemented with Ikev2. Please give your comments Regards, Kalyani
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
