[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: "Derrell D. Piper" <ddp@cips.nokia.com>
Subject: Re: Heartbeats Straw Poll
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Mon, 07 Aug 2000 11:44:45 -0400
cc: Vlado Zafirov <vladoz@radware.com>, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 04 Aug 2000 10:53:47 PDT." <200008041753.KAA15075@gallium.network-alchemy.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> >If SGW 1 dies SGW doesn't have a clue about the SPIs that SGW 3 is
> >sending. How he will inform the other end?
> 
> SGW2 could do a Main Mode under any Phase 1 policy that he has to SGW3 and in
> the process, tell him INITIAL-CONTACT.  No subsequent QM's would happen until
> the next packet hits SGW3.  You would want to rate limit this to prevent the
> obvious DoS attack on the receiving side.  

If your policies are certificate/name based rather than address-based,
this might not work so well (since you could have policy allowing
connections from any random address as long as it had the right cert).
I'd rather see schemes which put more of the burden on the peer which
both had state and had traffic to send.

BTW, I think that some sort of "IKE-level ping" facility would be very
useful as a diagnostic tool.  however, it should not be abused as a
"keepalive"/"make-dead" mechanism.

					- Bill

Follow-Ups:

Re: Heartbeats Straw Poll

From: Dan Harkins <dharkins@cips.nokia.com>

References:

Re: Heartbeats Straw Poll

From: "Derrell D. Piper" <ddp@cips.nokia.com>

Prev by Date: Re: Heartbeats Straw Poll
Next by Date: Re: Heartbeats Straw Poll
Prev by thread: Re: Heartbeats Straw Poll
Next by thread: Re: Heartbeats Straw Poll
Index(es):
- Main
- Thread