[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: fd@cisco.com
Subject: Re: Heartbeats Straw Poll
From: Dan Harkins <dharkins@cips.nokia.com>
Date: Mon, 07 Aug 2000 09:53:22 -0700
cc: "Derrell D. Piper" <ddp@cips.nokia.com>, Vlado Zafirov <vladoz@radware.com>, sommerfeld@East.Sun.COM, Paul Hoffman <paul.hoffman@vpnc.org>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Mon, 07 Aug 2000 18:00:33 +0200." <398EDD21.E768F182@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 07 Aug 2000 18:00:33 +0200 you wrote
> 
> "Derrell D. Piper" wrote:
> > 
> >  >If SGW 1 dies SGW doesn't have a clue about the SPIs that SGW 3 is
> >  >sending. How he will inform the other end?
> > 
> > SGW2 could do a Main Mode under any Phase 1 policy that he has to SGW3 and 
>in
> > the process, tell him INITIAL-CONTACT.  No subsequent QM's would happen unt
>il
> > the next packet hits SGW3.  You would want to rate limit this to prevent th
>e
> > obvious DoS attack on the receiving side.  Our product implements this and 
>it
> > works well.  (Of course, our clustered gateways have replicated IKE state, 
>so
> > this is a non-problem for most of our customers.)
> 
> Fine... but how does SGW3 know it has to negotiate new phase 2 SA's with SGW2
> ? If the traffic is one way (from sgw3 to sgw1/2), SGW2 will never ask the ri
>ght SA's to be re-created (how would SGW2 know what it could not decrypt)...

That's what the INITIAL-CONTACT notification is for.

  Dan.

References:

Re: Heartbeats Straw Poll

From: Frederic Detienne <fd@cisco.com>

Prev by Date: Re: Heartbeats Straw Poll
Next by Date: Re: IPSec Configuration MIB
Prev by thread: Re: Heartbeats Straw Poll
Next by thread: RE: Heartbeats Straw Poll (part 2)
Index(es):
- Main
- Thread