[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DPD and Clear notification message



Hi All, DPD draft allows only encrypted notification messages. It is useful to find out the liveness of current IKE peer. But, it is not possible to find out liveness of peer if the IKE SA does not exist. I have following problem to solve. VPN clients can come to corporate network via two security routers. These security routers connect to the internet via two PPPoE DSL lines. These security routers have different IP addresses. Through DPD it can switch to second router, if primary security router fails. But, there is no way to switch back to primary security router when it is back online. There should be some interoperable way to find out the primary security is back to normal. One way is to create IKE SA periodically with the primary, but this can be expensive from processing power perspective. Second is to have a way to send the DPD notification messages in clear and finding out whether primary router is back or not. With the second approach, there could be concern that it potentially become DDOS attack. This can be mitigated by having some sort of rate limiting the ACKs. Do you see any problem with this? Regards,Ravi -- The views presented in this mail are completely mine. The company is not responsible for whatsoever. ---------- Ravi Kumar CH Rendezvous On Chip (i) Pvt Ltd Hyderabad, India Ph: +91-40-2335 1214 / 1175 / 1184 ROC home page