[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Dead peer detection
Hi,
Can you resubmit the draft to Internet Drafts and we will issue the last call as soon as it re-appears.
Thanks,
Barb
At 01:36 PM 11/1/2002, Geoffrey Huang wrote:
>Hi Ed,
>
>The draft has expired, but I've attached a copy of it. I'd like to move the
>draft forward (wherever that might be), but the focus in the WG lately has
>been on IKEv2.
>
>> I have wondered around the working groups site and could not find the
>> draft-ietf-ipsec-dpd-00.txt any longer nor could I find any on going
>> conversations on the subject. Was this draft allowed to expire
>> without any
>> further discussions, or was another draft started.
>> I understand that some products do "dead peer detection" and was wondering
>> if this draft was how it was to be done or if the use of lower
>> re-key timer
>
>This is the method that Cisco devices use.
>
>> (say 600 seconds) in phase one would have the same effect, if one was to
>> delete the phase 2 sa's if the phase one negotiations failed.
>
>It depends on your implementation. If you always maintain a Phase 1 SA
>("Continuous Channel Mode") when there are Phase 2 SAs, then doing as you
>propose might be one solution. Keep in mind, however, that it won't scale
>well if you have to frequently rekey. Essentially, you'd be using a Phase 1
>negotiation to do the DPD; the difference is that DPD involves 2 notify
>messages (a "hello" and an ACK). Using a Phase 1 for DPD requires at least
>3 messages, plus a DH...Added to this is the concern that 600 seconds might
>be too coarse an interval before detecting a black hole.
>
>-g
>
>> Thanks
>> Ed Wilkinson
>>