FW: Dead peer detection

["Casey Carr" <caseyc@cipheroptics.com>]

Sorry.  I sent this to the IPSec Policy WG the first time by mistake.

I think it more appropriate in the general IPSec WG.

-----Original Message-----
From: Casey Carr [mailto:caseyc@cipheroptics.com]
Sent: Wednesday, April 03, 2002 2:24 PM
To: IPSec Policy WG
Subject: Dead peer detection


Is there an RFC or draft on standards track to deal with dead peer
detection?  After spending some time reviewing the IPSec, IKE, ISAKMP RFCs I
have drawn the conclusion that there is not a "standard" way to implement
dead peer detection.  Have I reached a valid conclusion?  Are other IPSec
vendors implementing proprietary solutions?  If so, have there been
interoperability issues?

I reviewed draft-ietf-ipsec-dpd-00.txt.  It appears to be a year old without
revisions which leads me to believe that it may not be widely accepted.

It also  appears from a statement in JFK that the authors regard this as an
implementation issue:

"A second major reason for Phase II is dead peer detection.  IPsec
    gateways often need to know if the other end of a security association
    is dead, both to free up resources and to avoid "black holes".
    In JFK, this is done by noting the time of the last packet received.
    A peer that wishes to elicit a packet may send a "ping".  Such
    hosts MAY decline any proposed security associations that do not
    permit such "ping" packets."


Thanks,
Casey