The Internet Key Exchange version 2 (IKEv2) protocol has a certain
computational and communication overhead with respect to the number of
round-trips required and the cryptographic operations involved. In
remote access situations, the Extensible Authentication Protocol (EAP)
is used for authentication, which adds several more round trips and
consequently latency. To re-establish security associations (SA) upon
a failure recovery condition is time consuming, especially when an
IPsec peer, such as a VPN gateway, needs to re-establish a large
number of SAs with various end points. A high number of concurrent
sessions might cause additional problems for an IPsec peer during SA
re-establishment. In order to avoid the need to re-run the key
exchange protocol from scratch it would be useful to provide an
efficient way to resume an IKE/IPsec session. This document proposes
an extension to IKEv2 that allows a client to re-establish an IKE SA
with a gateway in a highly efficient manner, utilizing a previously
established IKE SA. A client can reconnect to a gateway from which it
was disconnected. The proposed approach uses a IKEv2 state (or a
reference into a state store). to store state information that is
later made available to the IKEv2 responder for re-authentication.
Restoring state information by utilizing a ticket is one possible way.
This document does not specify the format of the ticket but
recommendations are provided.