Hi,
There is an issue in IKEv2 REDIRECT RFC 5685. In one scenario, the IKEv2
REDIRECT will not work indefinitely.
Scenario: -
Let's assume there are about 1000 clients connected to a IKEv2 REDIRECT enabled
SeGW. None of the clients were IKEv2 redirect enabled at the time of
establishing SA with the SeGW (meaning they have not sent the
REDIRECT_SUPPORTED notification in the
IKE_SA_INIT message)
This will lead to a situation where the SeGW is loaded and wanting to redirect
some clients to another SeGW but it cannot REDIRECT them as none of them have
indicated REDIRECT support in the IKE_SA_INIT message.
If the user/operator enabled REDIRECT functionality dynamically (like after SAs
were established), then the SeGW is not going to redirect them because it had
not received a REDIRECT_SUPPORTED payload from the clients.
Effect/Impact: -
This leads to a congestion/overload at the gateway when the base stations
connecting to the SeGW are several hundred/thousands in number. In the LTE and
LTE-A scenarios, this condition is possible where the number of base stations
connecting to the SeGW are very high.
Suggestion/Solution: -
A change is required in RFC 5685 is required as below: -
""Whenever the redirect feature/functionality is enabled at run-time, the
client should indicate the same to the SeGW. This can be done by the client
sending an INFORMATIONAL message under the protection of the IKE SA. This
message MUST have a REDIRECT_SUPPORTED notify payload to enable the SeGW to
redirect them at run-time even though they had initially connected with SeGW
without REDIRECT support""
Request for comments: -
Please read the problem, impact and solution listed above and let me know if
any comments. Hope my point is valid and needs to be incorporated as the RFC
update.
Regards,
Vijay N.