Internet Key Exchange - Protocol Extensions

Protocol Extensions

The IETF ipsecme working group has standardized a number of extensions, with the goal of modernizing the IKEv2 protocol and adapting it better to high volume, production environments. These extensions include:

  • IKE session resumption: the ability to resume a failed IKE/IPsec "session" after a failure, without the need to go through the entire IKE setup process (RFC 5723).
  • IKE redirect: redirection of incoming IKE requests, allowing for simple load-balancing between multiple IKE endpoints (RFC 5685).
  • IPsec traffic visibility: special tagging of ESP packets that are authenticated but not encrypted, with the goal of making it easier for middleboxes (such as intrusion detection systems) to analyze the flow (RFC 5840).
  • Mutual EAP authentication: support for EAP-only (i.e., certificate-less) authentication of both of the IKE peers; the goal is to allow for modern password-based authentication methods to be used (RFC 5998).
  • Quick crash detection: minimizing the time until an IKE peer detects that its opposite peer has crashed (RFC 6290).
  • High availability extensions: improving IKE/IPsec-level protocol synchronization between a cluster of IPsec endpoints and a peer, to reduce the probability of dropped connections after a failover event (RFC 6311).

Read more about this topic:  Internet Key Exchange

Famous quotes containing the word extensions:

    If we focus exclusively on teaching our children to read, write, spell, and count in their first years of life, we turn our homes into extensions of school and turn bringing up a child into an exercise in curriculum development. We should be parents first and teachers of academic skills second.
    Neil Kurshan (20th century)