[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats draft (fwd)

To: "CHINNA N.R. PELLACURU" <pcn@cisco.com>
Subject: Re: Heartbeats draft (fwd)
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Tue, 28 Mar 2000 14:02:23 -0800 (PST)
cc: Henry Spencer <henry@spsystems.net>, IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.10.10003281309140.25509-100000@zipper.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 28 Mar 2000, CHINNA N.R. PELLACURU wrote:
> Realistically how often does a server reboot? If the server is rebooting
> too often, then I guess we would be much better off, if we fixed the
> server, instead of trying to handle this scenario as if it is such a
> common scenario in IPSec.

In an ideal world, yes. Now in the REAL world, we do have to worry about
these things.

jan


> -chinna
> 
> On Tue, 28 Mar 2000, CHINNA N.R. PELLACURU wrote:
> 
> > An invalid SPI error can be the trigger point (along with other carefully
> > selected conditions). The peer that just came up will know the
> > tunnel/transport end point of the peer who is trying to send traffic, and
> > it can initiate a Main Mode SA to that endpoint. This peer should also
> > include the initial contact, so that the SADs can be sync'ed back again.
> > 
> > If there is some traffic originating on the side of the peer that went
> > down, then it has to initiate an SA negotiation anyway. An initial contact
> > will sync the SADs again.
> > -chinna
> > 
> > On Tue, 28 Mar 2000, Henry Spencer wrote:
> > 
> > > On Mon, 27 Mar 2000, chinna pellacuru wrote:
> > > > When one of the peer goes down, and comes back up, as I said before, the peer
> > > > that went down can ("intellegently") initiate fresh SAs with the Initial
> > > > Contact...
> > > 
> > > This assumes that the peer which went down is aware, when it comes back
> > > up, that it *should* initiate fresh SAs.  That is not necessarily true. 
> > > If it were, life would indeed be much simpler. 
> > > 
> > > In a world of fixed, static, pre-arranged VPN connections, each end can be
> > > told to re-initiate when it comes back up.  Unfortunately, many people
> > > wish to use IPSec in much more dynamic situations, where only one end may
> > > be aware of the immediate desire to send packets.  How does a rebooted
> > > server determine which of its potential clients it should re-initiate
> > > with?  It may not even know their IP addresses!
> > > 
> > >                                                           Henry Spencer
> > >                                                        henry@spsystems.net
> > > 
> > > 
> > > 
> > 
> > chinna narasimha reddy pellacuru
> > s/w engineer
> > 
> > 
> 
> chinna narasimha reddy pellacuru
> s/w engineer
> 
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

Follow-Ups:

Re: Heartbeats draft (fwd)

From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

References:

Re: Heartbeats draft (fwd)

From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

Prev by Date: Re: Heartbeats draft (fwd)
Next by Date: Open Source IPSec & accelerator cards
Next by thread: Q:Regarding AH & ESP
Index(es):
- Main
- Thread