[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Daemon Recovery
Daniel Harkins wrote:
>
> I'm not sure that would fix the problem. Peer A doesn't know peer B crashed
> so it doesn't try to negotiate again. As far as A is concerned everything is
> hunky-dory. B, on the other hand, silently drops the packets per the spec.
>
> I've been worrying about this for a while but for a different reason.
> If one of the peers is doing Virtual Router Redundancy Protocol and the
> failover happens this same situation can occur. To A it looks like nothing
> happened. Same IP address, same everything, just all of a sudden everything
> IPSec-wise stopped working. I was toying with the idea of an ISAKMP keep-alive
> message as a way to solve this. Periodically the peers could just remind each
> other of their continued viability and prove they still have the SKEYID state.
> If after some period of time a keep-alive was not received, the peer (A in the
> example) could begin negotiation with the other peer (B in the example) and
> then do as you suggest: throw away the old SPIs and start using the new ones.
>
> Any other potential solutions?
>
The problem is when A does not receive a keep alive message from B, it
could start an ISAKMP negotiation and B could still be down at this
point. I think it is better that when B receives a secure packet and
doesnt have an SA, it negotiates a new SA. The only problem is SA
explosion on A. If the SA's have large lifetime, then old SA established
between A and B will not be deleted until the timeout. We can avoid this
problem by notifying that this is the first SA establishment after a
reboot so that A can purge all the SA's associated with B.
--
--Naganand
---------------------------------------------------------------
Naganand Doraswamy (508)916-1323 (O)
Bay Architecture Lab (508)670-8153 (F)
Bay Networks, Inc.
3 Federal St, BL3-04
Billerica, MA 01821
References: