ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] Ikev2 HA message Id Issue

[IPsec] Ikev2 HA message Id Issue

From: Kalyani Garigipati (kagarigi) <kagarigi_at_nospam>
Date: Thu Sep 03 2009 - 13:06:58 GMT
To: <ipsec@ietf.org>

Hi ,  

In Ikev2 HA, there is an issue with the message Id and window size.   Standby device-----------------------active device----------------------------------Peer device

The active device participating in the exchange with the peer will update its message id counters as per the exchanges done.

This info cannot be synced to the stand-by device for every exchange done since that would take up all the bandwidth and is not an efficient way.  

The stand-by device when it becomes active will start with the message Id as 1 and this will not be accepted by the peer, since its message Id counters are different.

Hence a solution is required to sync the message Id counters to the standby device.  

  1. A solution for this is to get the required info from the peer device since it maintains all these counters.

The abstract details of how this can be done are given in the attached document.  

2. An alternative solution for this could be to send a new notify called (RESET_MESSAGE_ID) to the peer device as soon as the standby comes up. But this may lead to

Reuse of message Id's within the same SA which is not desirable.  

I think solution 1 should be implemented with Ikev2. Please give your comments  



IPsec mailing list