Re: [RPSEC] rate limiting management traffic, redux

[Iljitsch van Beijnum <iljitsch@muada.com>]

On vrijdag, apr 25, 2003, at 22:22 Europe/Amsterdam, Stephen Kent wrote:

> > I agree here, but that's not that I was getting at. What I meant was 
> > that it makes sense to somehow make this new scheme part of the 
> > larger world of IPsec rather than create a new, independent protocol 
> > that handles this.
> OK, I understand. Let me say why I think it is very unlikely for that 
> to happen. IPsec is trying to remove complexity from implementations, 
> whereas adding this functionality would add complexity.
Ok, not doing this is less complex than doing it. The real question is 
whether implementing the pre-authentication is more complex with or 
without IPsec. I think it could very well be the former.

> > So if you want to implement an IPv6 option, be sure to consult with a 
> > good number of vendors first to make sure you're not shooting 
> > yourself in the foot. Hopefully this problem will go away at some 
> > point but I gather it's very real now.
> OK. Then we just need to be defined as "not strange" :-)
Good luck doing that for the installed base.  (-:

> > But maybe we don't really have to solve this. Would it be extremely 
> > hard to implement a feature that automatically stops traffic being 
> > _routed_ towards a router or management station if the management or 
> > routing session with this station is down? (Locally source packet 
> > should still be allowed through so sessions can be reestablished.)
> since a correspondent does not always know when its peer has crashed 
> and recovered, our goal is to have a way to re-initialize without 
> involving the CPU, to avoid the problems you cite.
Re-initialize without involving the CPU... Talk about neat tricks!

Detecting failures is usually done with periodic keepalives. I don't 
see why this can't work here.

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec