[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats draft

To: sankarramamoorthi <sanka2g@xxxxxxxxxxxxxxxx>
Subject: Re: Heartbeats draft
From: Jan Vilhuber <vilhuber@xxxxxxxxx>
Date: Mon, 3 Apr 2000 12:29:21 -0700 (PDT)
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

On Sat, 1 Apr 2000, sankarramamoorthi wrote:
> The sequence is as follows
> 
>                   <----- ipsec packet
>        No matching SA
>        parties out of sync
> 
>            ------>  invalid spi
>                     + original 8 bytes of packet
>                     causing this error
>                     The error notification message
>                     is sent in the clear.
>                                                 recover spi from
>                                                 error notification
>                                                 packet. Find sa
>                                                 corresponding to spi,
>                                                 protcol and peer
>                                                 address.
>                                                 If sa not found
>                                                 drop notification
>                                                 message and return.
>                    <------ echo on ipsec SA
>                                                 If echo reply was
>                                                 not received even after
>                                                 a few retries, the
>                                                 error notification is
>                                                 genuine - clean up the
>                                                 stale ipsec SA
>                     ------> echo reply on ipsec SA
>                                                 echo reply successfully
>                                                 received - therefore
>                                                 the ipsec sa is
>                                                 active. Ignore the
>                                                 error notification and
>                                                 return.
> 

This sort of scheme has already been proposed and rejected, since echo
requests may or may not be covered by the classification of the tunnel. This
is not a good scheme.

Replace 'echo on ipsec SA' with some sort of phase 1 keepalive request and
reply (not timed, but, as you proposed above, event driven when needed), and
I could agree, but not if done over phase 2 (for more than just the reason
given above; check the archives).

I'm working on another similar proposal/idea. Once I have some things worked
out someone will post something to the list.

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

Follow-Ups:
- RE: Heartbeats draft
  - From: Sankar Ramamoorthi

References:
- Re: Heartbeats draft
  - From: sankarramamoorthi

Prev by Date: RE: my presentation on heartbeats
Next by Date: Re: Inbound packet processing- mobile host problem
Previous by thread: Re: Heartbeats draft
Next by thread: RE: Heartbeats draft
Index(es):
- Date
- Thread