Jitender Arora wrote: > The application where it is required now is the load balancing of > the IPSEC tunnels. Suppose in a network there are 10 Security-Gateways > and each of these security gateways can handle 200000 IPSEC tunnels > using the IKEv2 signaling. Now for this network if we need a load > balancer device which can balance the tunnels across these security > gateways, this load balancer device will be handling the IKEv2 > signaling coming from the 10 *200000 clients which is 2 Million > clients. In addition to handling the IKEv2 signaling from these > clients, this will also have to handle the bidirectional IPSEC traffic > between the clients and security gateways. So in this case this load > balancing device needs to be very scalable and also high performance > box. This might not be practical. > > So to solve this problem, this draft proposes that if we can allow > the IPSEC traffic on the different addresses than the IKEv2 signaling, > the load balancer can handle only the IKEv2 signaling and chose the > right security gateway, and this security gateway can tell the client > to send the IPSEC traffic directly to the security gateway without > going through the Load Balancer. This way the load balancer does not > need to worry about the IPSEC traffic and this will not put a lot of > strain on these boxes. > > You are right, the IKEv2 SA and the CHILD SA will still be on the > same machine, but will be using the different addresses.
If the IKEv2 SA and Child SAs are on the same box, why isn't RFC 5685 sufficient to solve this problem? RFC 5685 doesn't support using different IP addresses for IKEv2 and ESP/AH, but it would allow bypassing the load balancer for established IKE SAs, precisely they way you describe. Best regards, Pasi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
