Re: Heartbeats Straw Poll
Sankar Ramamoorthi <sankar@nexsi.com> Mon, 07 August 2000 19:53 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id MAA03421; Mon, 7 Aug 2000 12:53:25 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA29591 Mon, 7 Aug 2000 14:23:13 -0400 (EDT)
From: Sankar Ramamoorthi <sankar@nexsi.com>
Reply-To: sankar@nexsi.com
To: Ricky Charlet <rcharlet@redcreek.com>, ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll
Date: Mon, 07 Aug 2000 11:24:47 -0700
X-Mailer: KMail [version 1.0.29]
Content-Type: text/plain
References: <000001bffdb3$bf70fe90$a3d0788a@andrewk3.ca.newbridge.com> <p0432041cb5b079226c70@[147.73.132.180]> <398ED3B9.3600EADC@redcreek.com>
In-Reply-To: <398ED3B9.3600EADC@redcreek.com>
MIME-Version: 1.0
Message-Id: <00080711353208.18742@odin>
Content-Transfer-Encoding: 8bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Mon, 07 Aug 2000, Ricky Charlet wrote: > Paul Hoffman wrote: > > When the group was asked "how many people understand this proposal", > > I saw lots of people who I would have hoped would have raised their > > hands not doing so (and not voting in the next two questions, > > thankfully). Sounds like we might want a *short*, concise statement > > of the problem to the list before the straw poll is taken next. Maybe > > start with a neutral description of the problem, followed by two > > paragraphs in favor and two opposed. > > > > --Paul Hoffman, Director > > --VPN Consortium > > > Howdy, > I'll take a stab. > > Dead Peer Detection. (or some have called this same concept Black Hole > Detection). > > There are several motives for wanting to be able to detect a dead peer. > Among these are: > o implementing a redundancy strategy > o ipsra event auditing (required) and accounting (not required) This seems to be best reason for a heartbeat protocol. > o general resourse/state recovery > > > Argument in favor: > ================== > IPsec creates black holes. If an SA is built among peers SGW1 and > SSGW2, and later one of those peers (SGW2) becomes unreachable, then > protected traffic will be black holed from SGW1 into the (now defunct) > SA with no ICMP unreachable messages being sent back to the sending > hosts. At the very least, If SGW1 could learn that the SA became a black > hole, then it would be able to send ICMP unreachables back to the > sending hosts and the dead peer detection to do that MUST interoperate. Agree. IMHO, error notification should be part of the base protocol (error botification, combined with the a 'ping' like mechanism) should be the way to detect dead peer detection. So for there has been no agreement on secure dead-peer-detection - inventing a heartbeat protocol for this purpose seems an overkill. > But, more sophisticated implementations could also choose to create a > new SA with a 'back up peer' as one possible redundancy strategy. > Redundancy stragegies need not interoperate among vendors, but the dead > peer detection mechanism does need to interoperate. > Also, when a remote access client is builds an SA with an SGW, there is > an unignorable liklihood that the client may be shut down in non-clean > fashion (power off, kill process, unplug communications connection...) > In the abesnce of a dead peer detection mechanism, the SGW would > continue to believe that the client were present until it initiated a > re-key event. For gateways connecting thousands of clients, this leads > to very unattractive leaking of resourses. But more importantly, it > destroys auditing capabilities. An audit event for client connect and > client disconnect and loss of client are all deeply significant when you > are trying to tack who accessed what when for either legal or technical > reasons. IPSRA requires the capability to track connection start and end > time (NOTE: in the current rev of the draft draft-ietf-ipsra-reqmts > these are listed as Accounting requirements in section 2.4. But at the > IPSRA meeting, the acounting requirements got trimed but connection > start and stop survived as required audit events). > > > > Argument Against: > ================== > Its hard to do. We had trouble with this stuff back when we did TCP. > Also, IPsec WG has lasted a long time now and needs to close, we have a > steep prejudice against initiating any new work items. > > > > -- > Ricky Charlet : Redcreek Communications : usa (510) 795-6903 -- sankar ramamoorthi email: sankar@nexsi.com phone: 408-579-5718 (w)
- VPN Bakeoff question Kavsan, Bronislav
- Re: VPN Bakeoff question Ari Huttunen
- Re: VPN Bakeoff question Dan Harkins
- RE: VPN Bakeoff question Bill Becker
- RE: VPN Bakeoff question Jones, Michael ( Marketing)
- RE: VPN Bakeoff question Moti Frances
- RE: VPN Bakeoff question Moti Frances
- RE: VPN Bakeoff question leemay yen
- RE: VPN Bakeoff question Kavsan, Bronislav
- Re: VPN Bakeoff question Stephane Beaulieu
- Heartbeats Straw Poll Andrew Krywaniuk
- Re: Heartbeats Straw Poll Henry Spencer
- Re: Heartbeats Straw Poll Paul Hoffman
- Re: Heartbeats Straw Poll Vlado Zafirov
- Re: Heartbeats Straw Poll Vlado Zafirov
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Vlado Zafirov
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Derrell D. Piper
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Frederic Detienne
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Dan Harkins
- Re: Heartbeats Straw Poll Ricky Charlet
- Re: Heartbeats Straw Poll Dan Harkins
- Fwd: Re: Heartbeats Straw Poll Sankar Ramamoorthi
- Re: Heartbeats Straw Poll Sankar Ramamoorthi
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Scott G. Kelly
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Derek Atkins
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Dan Harkins
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Theodore Y. Ts'o
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- RE: Heartbeats Straw Poll Chris Trobridge
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Paul Hoffman / VPNC
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Angelos D. Keromytis
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Henry Spencer
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Theodore Ts'o
- Re: Heartbeats Straw Poll Skip Booth
- RE: Heartbeats Straw Poll Chris Trobridge
- Re: Heartbeats Straw Poll Ari Huttunen
- Re: Heartbeats Straw Poll Theodore Y. Ts'o
- Re: Heartbeats Straw Poll Ben McCann
- Re: Heartbeats Straw Poll Tero Kivinen
- Re: Heartbeats Straw Poll Ari Huttunen
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Scott G. Kelly
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Bill Sommerfeld
- RE: Heartbeats Straw Poll Waters, Stephen
- Re: Heartbeats Straw Poll Chinna N.R. Pellacuru
- Re: Heartbeats Straw Poll Scott G. Kelly
- Re: Heartbeats Straw Poll Shawn Mamros
- Re: Heartbeats Straw Poll Ben McCann
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Shawn Mamros
- Re: Heartbeats Straw Poll Shawn Mamros
- RE: Heartbeats Straw Poll (part 2) Andrew Krywaniuk
- RE: Heartbeats Straw Poll (part 1) Andrew Krywaniuk
- RE: Heartbeats Straw Poll Andrew Krywaniuk
- RE: Heartbeats Straw Poll (part 3) Andrew Krywaniuk
- Re: Heartbeats Straw Poll Ricky Charlet