Re: Revised PS Draft (RE: IPsec Failover and Redundancy - Problem Statement and Goals)

[Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Lakshminath" == Lakshminath Dondeti <ldondeti@xxxxxxxxxxxx> writes:
    >> (My GSM phone does drop calls, just not daily.  My PSTN phone
    >> often gets a "bad line" too...)
    >> 
    >> o Application Usage of IPsec: When IPsec is used to protect other
    >> protocols, the extent of failover interoperability that can be
    >> 
    >> I think my MIP ignorance is showing. Can you give us some
    >> references?
    >> 
    >> o Stateless Gateway Operation: The IPsec failover mechanism must
    >> specify a mode of operation that will allow the backup gateways
    >> to remain stateless until a failover occurs or during a temporary
    >> service interruption.  This will allow for better scalability of
    >> the solution, since a given gateway only needs to store state for
    >> clients that are being served by it.
    >> 
    >> I strongly favour this. I guess you are leaving room for a
    >> stateful method as well.  I think, it will be simpler to specify
    >> a single method.

    Lakshminath> Yes, we definitely want to support the stateful model
    Lakshminath> also.  If it must be a single method, stateful is my
    Lakshminath> preference.  Perhaps we should just specify/work on
    Lakshminath> both.

  That's interesting.
  A stateless method is easier to make stateful than the converse.

  Can you tell me why a stateful method would also need to be interoperable?

    >> ===== wow. shorter than I thought.
    >> 
    >> I think that SC section should perhaps outline what additional
    >> security considerations a solution should deal with. A big one
    >> might be various kinds of third-party attempts to DoS.
    >> 
    >> Are there competing gateways? Is there ever a financial advantage
    >> to making clients move?

    Lakshminath> This would definitely be out of scope for this effort,
    Lakshminath> in my view.

  That needs to be stated.
  "We assume that the gateways are not mutually suspicious, and are not
competitors.  That the gateways are run by the same enterprise."


- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxx      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRY2IsICLcPvd0N1lAQIYJgf9HlOO8b09f24208EXYF/1yVvWZHI3DENb
YMWZ5ioCwSZZ6AbZhB+1cdHhdbYDT7i+7C0njfF426HLcQ2G3e2ku/vEx/9aZt7F
VrkXys+XMRXY6jn+rYNCQDTDcNm2GujZvQUExi2kNXPfMaC0LemXHH2bTHqgE4JI
rFHCYt0Nf/6GJCVRqumlH4HM5KwRAXxlL2O2R1p9i7VV36kg6uRdYfnrsHPEOqvk
bF0dNoTubrrYPgecxDqAvhxLnF3vKgy8Snlu//92J3zpIUe8i6/g3d51ViS2xVGw
l09b4ompYXHHhnZqe0Km9i7KHTwKuYjqrzqCybIQF3Ds0gFWJ6p6Jw==
=THEh
-----END PGP SIGNATURE-----