[strongSwan-dev] RFC5685 - IKEv2 Redirect - Planned Implementation

Ruel, Ryan rruel at akamai.com
Thu Jan 28 15:38:48 CET 2016 

Folks,

As part of a recent project, I've partially implemented the following IKEv2 extension:

RFC5685: Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
Link: https://tools.ietf.org/html/rfc5685

I'm interested in fleshing out support and submitting it back to the project such that it can be usable by others.

To summarize, this extension allows for the following:

  *   An initiator can be redirected to an alternate address (indicating it supports redirect by included an extension flag in the SA INIT)
  *   A responder can redirect a client which supports redirect to an alternate address, either as part of the SA INIT or SA AUTH exchange

Typically, this extension is used for load balancing.   strongSwan, of course, already supports load balancing and HA failover using ClusterIP and the HA plug-in.  This extension, however, could allow for a load balancing to multiple clusters (or individual strongSwan servers), which do not need to be collocated.

I'd like to implement the following within strongSwan:

  *   Initiator (client) redirect support
  *   Responder redirect on SA INIT
  *   Responder redirect on SA AUTH

These would be configured presumably via a new "redirect=<none|client|auth|init>" parameter within the connection entry in ipsec.conf (or configured via VICI).

Within libcharon, I'd like to implement the responder support for redirect such that a plug-in will provide the callbacks for actually getting the address to redirect to (or none, if no redirect will be needed).  From there, I would provide a simple load balancing plug-in (probably just a round-robin style balancer).  This could be used as a reference implementation for more complex load balancing algorithms.

Before beginning this work, I'd very much appreciate thoughts on the project and any advice other developers may have.

Kind regards,

/Ryan

—
Ryan Ruel
Principal Lead Software Engineer
Cloud Networking
rruel at akamai.com
617-444-0359 (desk) | 617-304-5442 (mobile)

[cid:41013E5A-53FE-4091-93B4-B06EAB758451]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160128/f375bf04/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Stacked_Tagline_RGB[1].png
Type: image/png
Size: 11227 bytes
Desc: Stacked_Tagline_RGB[1].png
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160128/f375bf04/attachment.png>

More information about the Dev mailing list