[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
DPD and Clear notification message
Hi All,
DPD draft allows only encrypted notification messages. It is useful to find out
the liveness of current IKE peer. But, it is not possible to find out liveness of
peer if the IKE SA does not exist. I have following problem to solve.
VPN clients can come to corporate network via two security routers.
These security routers connect to the internet via two PPPoE DSL lines.
These security routers have different IP addresses.
Through DPD it can switch to second router, if primary security router fails.
But, there is no way to switch back to primary security router when it is back online.
There should be some interoperable way to find out the primary security is
back to normal. One way is to create IKE SA periodically with the primary, but
this can be expensive from processing power perspective.
Second is to have a way to send the DPD notification messages in clear and
finding out whether primary router is back or not.
With the second approach, there could be concern that it potentially become DDOS
attack. This can be mitigated by having some sort of rate limiting the ACKs.
Do you see any problem with this?
Regards,Ravi
--
The views presented in this mail are completely mine. The company is not responsible for whatsoever.
----------
Ravi Kumar CH
Rendezvous On Chip (i) Pvt Ltd
Hyderabad, India
Ph: +91-40-2335 1214 / 1175 / 1184
ROC home page