Re: Heartbeats Straw Poll
Ricky Charlet <rcharlet@redcreek.com> Mon, 07 August 2000 17:16 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA29065; Mon, 7 Aug 2000 10:16:37 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA28915 Mon, 7 Aug 2000 12:09:43 -0400 (EDT)
Message-ID: <398ED3B9.3600EADC@redcreek.com>
Date: Mon, 07 Aug 2000 09:20:25 -0600
From: Ricky Charlet <rcharlet@redcreek.com>
Organization: Redcreek Communications
X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll
References: <000001bffdb3$bf70fe90$a3d0788a@andrewk3.ca.newbridge.com> <p0432041cb5b079226c70@[147.73.132.180]>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Paul Hoffman wrote: > When the group was asked "how many people understand this proposal", > I saw lots of people who I would have hoped would have raised their > hands not doing so (and not voting in the next two questions, > thankfully). Sounds like we might want a *short*, concise statement > of the problem to the list before the straw poll is taken next. Maybe > start with a neutral description of the problem, followed by two > paragraphs in favor and two opposed. > > --Paul Hoffman, Director > --VPN Consortium Howdy, I'll take a stab. Dead Peer Detection. (or some have called this same concept Black Hole Detection). There are several motives for wanting to be able to detect a dead peer. Among these are: o implementing a redundancy strategy o ipsra event auditing (required) and accounting (not required) o general resourse/state recovery Argument in favor: ================== IPsec creates black holes. If an SA is built among peers SGW1 and SSGW2, and later one of those peers (SGW2) becomes unreachable, then protected traffic will be black holed from SGW1 into the (now defunct) SA with no ICMP unreachable messages being sent back to the sending hosts. At the very least, If SGW1 could learn that the SA became a black hole, then it would be able to send ICMP unreachables back to the sending hosts and the dead peer detection to do that MUST interoperate. But, more sophisticated implementations could also choose to create a new SA with a 'back up peer' as one possible redundancy strategy. Redundancy stragegies need not interoperate among vendors, but the dead peer detection mechanism does need to interoperate. Also, when a remote access client is builds an SA with an SGW, there is an unignorable liklihood that the client may be shut down in non-clean fashion (power off, kill process, unplug communications connection...) In the abesnce of a dead peer detection mechanism, the SGW would continue to believe that the client were present until it initiated a re-key event. For gateways connecting thousands of clients, this leads to very unattractive leaking of resourses. But more importantly, it destroys auditing capabilities. An audit event for client connect and client disconnect and loss of client are all deeply significant when you are trying to tack who accessed what when for either legal or technical reasons. IPSRA requires the capability to track connection start and end time (NOTE: in the current rev of the draft draft-ietf-ipsra-reqmts these are listed as Accounting requirements in section 2.4. But at the IPSRA meeting, the acounting requirements got trimed but connection start and stop survived as required audit events). Argument Against: ================== Its hard to do. We had trouble with this stuff back when we did TCP. Also, IPsec WG has lasted a long time now and needs to close, we have a steep prejudice against initiating any new work items. -- Ricky Charlet : Redcreek Communications : usa (510) 795-6903
- VPN Bakeoff question Kavsan, Bronislav
- Re: VPN Bakeoff question Ari Huttunen
- Re: VPN Bakeoff question Dan Harkins
- RE: VPN Bakeoff question Bill Becker
- RE: VPN Bakeoff question Jones, Michael ( Marketing)
- RE: VPN Bakeoff question Moti Frances
- RE: VPN Bakeoff question Moti Frances
- RE: VPN Bakeoff question leemay yen
- RE: VPN Bakeoff question Kavsan, Bronislav
- Re: VPN Bakeoff question Stephane Beaulieu
- Heartbeats Straw Poll Andrew Krywaniuk
- Re: Heartbeats Straw Poll Henry Spencer
- Re: Heartbeats Straw Poll Paul Hoffman
- Re: Heartbeats Straw Poll Vlado Zafirov
- Re: Heartbeats Straw Poll Vlado Zafirov
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Vlado Zafirov
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Derrell D. Piper
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Frederic Detienne
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Dan Harkins
- Re: Heartbeats Straw Poll Ricky Charlet
- Re: Heartbeats Straw Poll Dan Harkins
- Fwd: Re: Heartbeats Straw Poll Sankar Ramamoorthi
- Re: Heartbeats Straw Poll Sankar Ramamoorthi
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Scott G. Kelly
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Derek Atkins
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Dan Harkins
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Theodore Y. Ts'o
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- RE: Heartbeats Straw Poll Chris Trobridge
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Bill Sommerfeld
- Re: Heartbeats Straw Poll Skip Booth
- Re: Heartbeats Straw Poll Paul Hoffman / VPNC
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Angelos D. Keromytis
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Henry Spencer
- Re: Heartbeats Straw Poll Jan Vilhuber
- Re: Heartbeats Straw Poll Theodore Ts'o
- Re: Heartbeats Straw Poll Skip Booth
- RE: Heartbeats Straw Poll Chris Trobridge
- Re: Heartbeats Straw Poll Ari Huttunen
- Re: Heartbeats Straw Poll Theodore Y. Ts'o
- Re: Heartbeats Straw Poll Ben McCann
- Re: Heartbeats Straw Poll Tero Kivinen
- Re: Heartbeats Straw Poll Ari Huttunen
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Scott G. Kelly
- Re: Heartbeats Straw Poll Steven M. Bellovin
- Re: Heartbeats Straw Poll Bill Sommerfeld
- RE: Heartbeats Straw Poll Waters, Stephen
- Re: Heartbeats Straw Poll Chinna N.R. Pellacuru
- Re: Heartbeats Straw Poll Scott G. Kelly
- Re: Heartbeats Straw Poll Shawn Mamros
- Re: Heartbeats Straw Poll Ben McCann
- Re: Heartbeats Straw Poll Michael Richardson
- Re: Heartbeats Straw Poll Scott Fanning
- Re: Heartbeats Straw Poll Shawn Mamros
- Re: Heartbeats Straw Poll Shawn Mamros
- RE: Heartbeats Straw Poll (part 2) Andrew Krywaniuk
- RE: Heartbeats Straw Poll (part 1) Andrew Krywaniuk
- RE: Heartbeats Straw Poll Andrew Krywaniuk
- RE: Heartbeats Straw Poll (part 3) Andrew Krywaniuk
- Re: Heartbeats Straw Poll Ricky Charlet