Protocol Support for High Availability of IKEv2/IPsec
RFC 6311, “Protocol Support for High Availability of IKEv2/IPsec”, is a Proposed Standard document published in July 2011 by R. Singh, G. Kalyani, Y. Nir, Y. Sheffer, D. Zhang. The canonical text is published by the RFC Editor.
Abstract
The IPsec protocol suite is widely used for business-critical network traffic. In order to make IPsec deployments highly available, more scalable, and failure-resistant, they are often implemented as IPsec High Availability (HA) clusters. However, there are many issues in IPsec HA clustering, and in particular in Internet Key Exchange Protocol version 2 (IKEv2) clustering. An earlier document, "IPsec Cluster Problem Statement", enumerates the issues encountered in the IKEv2/IPsec HA cluster environment. This document resolves these issues with the least possible change to the protocol.
This document defines an extension to the IKEv2 protocol to solve the main issues of "IPsec Cluster Problem Statement" in the commonly deployed hot standby cluster, and provides implementation advice for other issues. The main issues solved are the synchronization of IKEv2 Message ID counters, and of IPsec replay counters. [STANDARDS-TRACK]
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
The canonical text of RFC 6311 is hosted at rfc-editor.org. Available in TXT,HTML.
- RFC 6310 Pseudowire Operations, Administration, and Maintenance Message Mapping
- RFC 6312 Mobile Networks Considerations for IPv6 Deployment
- RFC 6309 IANA Rules for MIKEY
- RFC 6313 Export of Structured Data in IP Flow Information Export
- RFC 6308 Overview of the Internet Multicast Addressing Architecture
- RFC 6314 NAT Traversal Practices for Client-Server SIP
- RFC 6315 IANA Registration for Enumservice 'iax'
- RFC 6306 Hierarchical IPv4 Framework