Authors:
Peng Yang
;
Yuanchen Ma
and
Satoshi Yoshizawa
Affiliation:
Hitachi (China) Research and Development Corporation, China
Keyword(s):
IKEv2, Fail-over, IPsec, IPsec gateway, Fast IKEv2 SA re-establishment.
Related
Ontology
Subjects/Areas/Topics:
Information and Systems Security
;
Ipsec, Vpns and Encryption Modes
;
Mobile System Security
;
Network Security
;
Reliability and Dependability
Abstract:
IKEv2/IPsec has been widely deployed, such as in VPN and MIPv6, to support mutual authentication, access control and traffic protection in internet. IKEv2/IPsec gateways may maintain huge number of IKEv2/IPsec security associations. If gateway encounters failure or over-load, it will take a long time to re-establish security associations in another IKEv2/IPsec gateway. The major reason is that regular procedure of IKEv2 incurs long delay because of multiple signalling exchanges and complex computation especially in Diffie-Hellman exchange. In this paper, a new IKE SA re-establishment solution is proposed to reduce the overhead of computation and signalling by directly transferring IKE SA from old gateway to new gateway via independent IKE SA storage (stub bank). The most expensive Diffie-Hellman exchange and some of signalling can be avoided. Therefore, a huge amount of IKE/IPsec security associations can be re-established in a short time. The applicability of this solution in mobile
network is further analyzed as well.
(More)