[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTION: 4.3 Dead peer detection

To: IP Security List <ipsec@lists.tislabs.com>
Subject: RE: SOI QUESTION: 4.3 Dead peer detection
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 25 Jun 2002 23:23:05 -0400 (EDT)
In-Reply-To: <Pine.LNX.4.33.0206251914330.1819-100000@janpc-home.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 25 Jun 2002, Jan Vilhuber wrote:
> ...I don't much care for the hand-waving
> ping approach suggested by JFK, whereas IKEv2's approach is closer to
> the DPD mechanism suggested by Geoff Huang et.al. (now expired...

Also to what's suggested in draft-spencer-ipsec-ike-implementation-02.txt.

> I was also under the impression that birth-certificates were more akin
> to Initial-contact, rather than real-time detection of connectivity
> problems. The two aren't necessarily the same.

Birth certificates tackle the problem slightly differently:  they permit
authenticated, believable error reports from the other end.  This isn't
quite as useful as an IKE-level query/response mechanism, but it does
address the primary problem, dead-SA detection. 

                                                          Henry Spencer
                                                       henry@spsystems.net

References:
- RE: SOI QUESTION: 4.3 Dead peer detection
  - From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: RE: SOI QUESTION: 3.4 Preferred ID for responder
Next by Date: RE: SOI QUESTION: 4.2 Creating multiple SAs for a single pair of entities
Prev by thread: RE: SOI QUESTION: 4.3 Dead peer detection
Next by thread: Re: SOI QUESTION: 4.3 Dead peer detection
Index(es):
- Date
- Thread