Surety is performing system maintenance this weekend. Electronic date stamps on new Prior Art Database disclosures may be delayed.
Browse Prior Art Database

Cloning the IKE Security Association in the Internet Key Exchange Protocol Version 2 (IKEv2) (RFC7791)

IP.com Disclosure Number: IPCOM000245370D
Original Publication Date: 2016-Mar-01
Included in the Prior Art Database: 2016-Mar-04
Document File: 28 page(s) / 33K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

D. Migault: AUTHOR [+3]


The main scenario that motivated this document is a VPN end user establishing a VPN with a Security Gateway when at least one of the peers has multiple interfaces. Figure 1 represents the case when the VPN end user has multiple interfaces, Figure 2 represents the case when the Security Gateway has multiple interfaces, and Figure 3 represents the case when both the VPN end user and the Security Gateway have multiple interfaces. With Figure 1 and Figure 2, one of the peers has n = 2 interfaces and the other has a single interface. This results in the creation of up to n = 2 VPNs. With Figure 3, the VPN end user has n = 2 interfaces and the Security Gateway has m = 2 interfaces. This may lead to up to m x n VPNs.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 8% of the total text.

Internet Engineering Task Force (IETF)                   D. Migault, Ed. Request for Comments: 7791                                      Ericsson Category: Standards Track                                     V. Smyslov ISSN: 2070-1721                                               ELVIS-PLUS                                                               March 2016

                   Cloning the IKE Security Association         in the Internet Key Exchange Protocol Version 2 (IKEv2)


   This document considers a VPN end user establishing an IPsec Security    Association (SA) with a Security Gateway using the Internet Key    Exchange Protocol version 2 (IKEv2), where at least one of the peers    has multiple interfaces or where Security Gateway is a cluster with    each node having its own IP address.

   The protocol described allows a peer to clone an IKEv2 SA, where an    additional SA is derived from an existing one.  The newly created IKE    SA is set without the IKEv2 authentication exchange.  This IKE SA can    later be assigned to another interface or moved to another cluster    node.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force    (IETF).  It represents the consensus of the IETF community.  It has    received public review and has been approved for publication by the    Internet Engineering Steering Group (IESG).  Further information on    Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,    and how to provide feedback on it may be obtained at    http://www.rfc-editor.org/info/rfc7791.

 Migault & Smyslov            Standards Track                    [Page 1]
 RFC 7791                     Cloning IKE SA                   March 2016

 Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the    document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal    Provisions Relating to IETF Documents    (http://trustee.ietf.org/license-info) in effect on the date of    publication of this document.  Please review these documents    carefully, as they describe your rights and restrictions with respect    to this document.  Code Components extracted from this document must    include Simplified BSD License text as described in Section 4.e of    the Trust Legal Provisions and are provided without warranty as    described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . ....