[Openswan dev] passive side of DPD

Michael Richardson mcr at xelerance.com
Wed Jul 6 22:55:42 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----


Let's say that we have two nodes, west and east.

They have dpd enabled.

For some reason, communication from east->west fails.
This means that DPD is going to fail.
(In our dpd-06 test case, we force this by doing:
   : Create the block
   iptables -I INPUT -s 192.1.2.23/32 -d 0/0 -j DROP
)

Issue: when the state is deleted on east, a delete message is sent out.
Since west->east communication is still permitted, the delete message
goes out.  No problem on west.

On east, we get the delete, and we remove the state.
east will then remove the state, and with it, the knowledge that it was
doing dpd, and that it should perhaps do action=restart.

The result is that the state is removed, we go back to %trap, and the
conn is not restarted. When traffic shows up, we would restart. 

While this is surprising, I don't see any other way to rationally deal
with this -- from east's point of view, the conn has simply been
deleted.

(dpd-06 is being adjusted to block both incoming and outgoing traffic)

- -- 
] Michael Richardson          Xelerance Corporation, Ottawa, ON |  firewalls  [
] mcr @ xelerance.com           Now doing IPsec training, see   |net architect[
] http://www.sandelman.ca/mcr/    www.xelerance.com/training/   |device driver[
]                    I'm a dad: http://www.sandelman.ca/lrmr/                 [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQsyLnIqHRg3pndX9AQEfBQQArAmj+2ziQA7KzUELe2jVx8c94wTrf2q2
QyF2CP9vScaoxI2A6GEesIJqsVmDBe4qJWku0AYhE1TY4tDNkG1YcWusQPLLw9B0
YuckvevDo6STfGwZDsV4mrKmohb6DFRyWkC7thnJBRfoSwU9TGOYi3OMOAsp2JZ7
kDOW32NI0fo=
=t/H8
-----END PGP SIGNATURE-----


More information about the Dev mailing list