[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Mon, 07 Aug 2000 09:20:25 -0600
Organization: Redcreek Communications
References: <000001bffdb3$bf70fe90$a3d0788a@andrewk3.ca.newbridge.com> <p0432041cb5b079226c70@[147.73.132.180]>
Sender: owner-ipsec@lists.tislabs.com

Paul Hoffman wrote:
> When the group was asked "how many people understand this proposal",
> I saw lots of people who I would have hoped would have raised their
> hands not doing so (and not voting in the next two questions,
> thankfully). Sounds like we might want a *short*, concise statement
> of the problem to the list before the straw poll is taken next. Maybe
> start with a neutral description of the problem, followed by two
> paragraphs in favor and two opposed.
> 
> --Paul Hoffman, Director
> --VPN Consortium


Howdy,
	I'll take a stab.

 	Dead Peer Detection. (or some have called this same concept Black Hole
Detection).

	There are several motives for wanting to be able to detect a dead peer.
Among these are: 
 o implementing a redundancy strategy 
 o ipsra event auditing (required) and accounting (not required) 
 o general resourse/state recovery


Argument in favor:
==================
	IPsec creates black holes. If an SA is built among peers SGW1 and
SSGW2, and later one of those peers (SGW2) becomes unreachable, then
protected traffic will be black holed from SGW1 into the (now defunct)
SA with no ICMP unreachable messages being sent back to the sending
hosts. At the very least, If SGW1 could learn that the SA became a black
hole, then it would be able to send ICMP unreachables back to the
sending hosts and the dead peer detection to do that MUST interoperate.
But, more sophisticated implementations could also choose to create a
new SA with a 'back up peer' as one possible redundancy strategy.
Redundancy stragegies need not interoperate among vendors, but the dead
peer detection mechanism does need to interoperate.
	Also, when a remote access client is builds an SA with an SGW, there is
an unignorable liklihood that the client may be shut down in non-clean
fashion (power off, kill process, unplug communications connection...)
In the abesnce of a dead peer detection mechanism, the SGW would
continue to believe that the client were present until it initiated a
re-key event. For gateways connecting thousands of clients, this leads
to very unattractive leaking of resourses. But more importantly, it
destroys auditing capabilities. An audit event for client connect and
client disconnect and loss of client are all deeply significant when you
are trying to tack who accessed what when for either legal or technical
reasons. IPSRA requires the capability to track connection start and end
time (NOTE: in the current rev of the draft draft-ietf-ipsra-reqmts
these are listed as Accounting requirements in section 2.4. But at the
IPSRA meeting, the acounting requirements got trimed but connection
start and stop survived as required audit events).



Argument Against:
==================
	Its hard to do. We had trouble with this stuff back when we did TCP.
Also, IPsec WG has lasted a long time now and needs to close, we have a
steep prejudice against initiating any new work items.



-- 
  Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903

Follow-Ups:

Re: Heartbeats Straw Poll

From: Sankar Ramamoorthi <sankar@nexsi.com>

Re: Heartbeats Straw Poll

From: Jan Vilhuber <vilhuber@cisco.com>

References:

Heartbeats Straw Poll

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Re: Heartbeats Straw Poll

From: Paul Hoffman <paul.hoffman@vpnc.org>

Prev by Date: Re: Heartbeats Straw Poll
Next by Date: Re: Heartbeats Straw Poll
Prev by thread: Re: Heartbeats Straw Poll
Next by thread: Re: Heartbeats Straw Poll
Index(es):
- Main
- Thread