Hosting Provided By

[Design] address inertia

From: John S. Denker <jsd(at)monmouth.com>
Date: Sun Feb 16 2003 - 09:39:21 EST

Executive summary:

Suppose you have IPsec gateways at one or two base locations (which we expect to be more-or-less stationary), plus a large number of road warriors, i.e. folks who initiate IPsec connections to the base from strange places. Typically the wild-side IP address of each road warrior is assigned by DHCP.

Now suppose you need to restart one of the base stations. This is bad. All its IPsec connections will go down, and in the prior art there is no good way to re-establish the connections. The road warriors will not know that the base has restarted. They will continue using the old connections until they time out, which could take hours. Only then will they commence the rekeying procedure which will lead to the establishment of new connections.

We now describe mk_conf, which solves this problem. The key concept is something we call address inertia. That is, the base station remembers the last known wild-side address of each road warrior, and uses that to attempt to re-contact them after a restart.

For details, see:
http://www.monmouth.com/~jsd/vpn/ipsec+routing/mk_conf.htm

Design mailing list
Design@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/design Received on Sun Feb 16 10:15:46 2003

This message: [ Message body ]
Next message: Hugh Daniel: "[Design] Raw doc in the policy group files"
Previous message: Hugh Daniel: "[Design] The 2.00 code fails a MAJOR user acceptance test"
In reply to: Hugh Daniel: "[Design] Typeo in ipsec.conf(5)"
Next in thread: Jim Carter: "Re: [Design] address inertia"
Reply: Jim Carter: "Re: [Design] address inertia"
Reply: Michael Richardson: "Re: [Design] address inertia"
Reply: D. Hugh Redelmeier: "Re: [Design] mast(4)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:32 EDT