[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec error protocol

To: andrew.krywaniuk@alcatel.com
Subject: Re: ipsec error protocol
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Tue, 30 Jan 2001 20:03:19 -0500
cc: fd@cisco.com, ipsec@lists.tislabs.com
In-reply-to: Your message of "Tue, 30 Jan 2001 19:34:22 EST." <003a01c08b1d$8f7e37a0$1e72788a@andrewk3.ca.alcatel.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

> Can we please not be dogmatic about this? Keepalives come with certain
> well-known pitfalls; if you know what they are, you can invent a scheme with
> whatever design tolerances you desire.

keepalives: 

 - do not quickly detect loss of state unless the keepalive timeout is
very short.

 - generate traffic even when applications have nothing to say.  if
the keepalive timeout is short, they may even generate more overhead
packets than "real" traffic

 - have no way to distinguish temporary loss of connectivity
from permanent loss of state, resulting in premature
disconnects.

They are an extremely poor fit for the problem.

				- Bill

References:

RE: ipsec error protocol

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: ipsec error protocol
Next by Date: Re: ipsec error protocol
Prev by thread: RE: ipsec error protocol
Next by thread: RE: ipsec error protocol
Index(es):
- Main
- Thread