[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: "Derrell D. Piper" <ddp@cips.nokia.com>
Subject: Re: Heartbeats Straw Poll
From: Frederic Detienne <fd@cisco.com>
Date: Mon, 07 Aug 2000 18:00:33 +0200
CC: Vlado Zafirov <vladoz@radware.com>, sommerfeld@East.Sun.COM, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
Organization: Cisco Systems, Inc
References: <200008041753.KAA15075@gallium.network-alchemy.com>
Reply-To: fd@cisco.com
Sender: owner-ipsec@lists.tislabs.com


     (Active) 
     +-------+ 
     | SGW 1 |                          +-------+ 
     +-------+------- Internet -------- | SGW 3 | 
     +-------+-------/                  +-------+ 
     | SGW 2 | 
     +-------+ 
     (Backup) 

     SGW = Secure Gateway 


"Derrell D. Piper" wrote:
> 
>  >If SGW 1 dies SGW doesn't have a clue about the SPIs that SGW 3 is
>  >sending. How he will inform the other end?
> 
> SGW2 could do a Main Mode under any Phase 1 policy that he has to SGW3 and in
> the process, tell him INITIAL-CONTACT.  No subsequent QM's would happen until
> the next packet hits SGW3.  You would want to rate limit this to prevent the
> obvious DoS attack on the receiving side.  Our product implements this and it
> works well.  (Of course, our clustered gateways have replicated IKE state, so
> this is a non-problem for most of our customers.)

Fine... but how does SGW3 know it has to negotiate new phase 2 SA's with SGW2 ? If the traffic is one way (from sgw3 to sgw1/2), SGW2 will never ask the right SA's to be re-created (how would SGW2 know what it could not decrypt)...

	frederic detienne

Follow-Ups:

Re: Heartbeats Straw Poll

From: Dan Harkins <dharkins@cips.nokia.com>

References:

Re: Heartbeats Straw Poll

From: "Derrell D. Piper" <ddp@cips.nokia.com>

Prev by Date: Re: Heartbeats Straw Poll
Next by Date: Re: IPSec Configuration MIB
Prev by thread: Re: Heartbeats Straw Poll
Next by thread: Re: Heartbeats Straw Poll
Index(es):
- Main
- Thread