[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dead peer detection



Hi, Can you resubmit the draft to Internet Drafts and we will issue the last call as soon as it re-appears. Thanks, Barb At 01:36 PM 11/1/2002, Geoffrey Huang wrote: >Hi Ed, > >The draft has expired, but I've attached a copy of it. I'd like to move the >draft forward (wherever that might be), but the focus in the WG lately has >been on IKEv2. > >> I have wondered around the working groups site and could not find the >> draft-ietf-ipsec-dpd-00.txt any longer nor could I find any on going >> conversations on the subject. Was this draft allowed to expire >> without any >> further discussions, or was another draft started. >> I understand that some products do "dead peer detection" and was wondering >> if this draft was how it was to be done or if the use of lower >> re-key timer > >This is the method that Cisco devices use. > >> (say 600 seconds) in phase one would have the same effect, if one was to >> delete the phase 2 sa's if the phase one negotiations failed. > >It depends on your implementation. If you always maintain a Phase 1 SA >("Continuous Channel Mode") when there are Phase 2 SAs, then doing as you >propose might be one solution. Keep in mind, however, that it won't scale >well if you have to frequently rekey. Essentially, you'd be using a Phase 1 >negotiation to do the DPD; the difference is that DPD involves 2 notify >messages (a "hello" and an ACK). Using a Phase 1 for DPD requires at least >3 messages, plus a DH...Added to this is the concern that 600 seconds might >be too coarse an interval before detecting a black hole. > >-g > >> Thanks >> Ed Wilkinson >>