<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
Folks,</div>
<div style="color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><font face="Calibri,sans-serif">As part of a recent project, I've partially implemented the following IKEv2 extension:</font></div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><font face="Calibri,sans-serif"><br>
</font></div>
<div style="color: rgb(0, 0, 0);"><font face="Calibri,sans-serif" style="font-size: 14px;">RFC5685: </font><span style="font-size: 1em; line-height: 0pt; widows: 1;">Redirect Mechanism for</span><span style="line-height: 0pt; widows: 1; font-size: 13px;"> the
Internet Key Exchange Protocol Version 2 (IKEv2)</span></div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><b>Link: </b><a href="https://tools.ietf.org/html/rfc5685">https://tools.ietf.org/html/rfc5685</a></div>
<div style="color: rgb(0, 0, 0); font-size: 14px;"><br>
</div>
<div>I'm interested in fleshing out support and submitting it back to the project such that it can be usable by others.</div>
<div style="color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
To summarize, this extension allows for the following:</div>
<ul style="color: rgb(0, 0, 0);">
<li>An initiator can be redirected to an alternate address (indicating it supports redirect by included an extension flag in the SA INIT)</li><li>A responder can redirect a client which supports redirect to an alternate address, either as part of the SA INIT or SA AUTH exchange</li></ul>
<div style="color: rgb(0, 0, 0);">Typically, this extension is used for load balancing. strongSwan, of course, already supports load balancing and HA failover using ClusterIP and the HA plug-in. This extension, however, could allow for a load balancing to
multiple clusters (or individual strongSwan servers), which do not need to be collocated. </div>
<div style="color: rgb(0, 0, 0);"><br>
</div>
<div style="color: rgb(0, 0, 0);">I'd like to implement the following within strongSwan:</div>
<ul>
<li>Initiator (client) redirect support</li><li>Responder redirect on SA INIT</li><li>Responder redirect on SA AUTH</li></ul>
<div>These would be configured presumably via a new "redirect=<none|client|auth|init>" parameter within the connection entry in ipsec.conf (or configured via VICI).</div>
<div><br>
</div>
<div>Within libcharon, I'd like to implement the responder support for redirect such that a plug-in will provide the callbacks for actually getting the address to redirect to (or none, if no redirect will be needed). From there, I would provide a simple load
balancing plug-in (probably just a round-robin style balancer). This could be used as a reference implementation for more complex load balancing algorithms.</div>
<div><br>
</div>
<div>Before beginning this work, I'd very much appreciate thoughts on the project and any advice other developers may have.</div>
<div><br>
</div>
<div>Kind regards,</div>
<div><br>
</div>
<div>/Ryan</div>
<div style="color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div id="MAC_OUTLOOK_SIGNATURE">
<div>— </div>
<div>Ryan Ruel</div>
<div>Principal Lead Software Engineer </div>
<div>Cloud Networking</div>
<div>rruel@akamai.com</div>
<div>617-444-0359 (desk) | 617-304-5442 (mobile)</div>
<div><br>
</div>
<div><img src="cid:41013E5A-53FE-4091-93B4-B06EAB758451" type="image/png"></div>
</div>
</div>
</body>
</html>