Dead peer detection RFC 3706

DPD overcome shortcoming of keepalives and heartbeats. Keepalive and heartbeat should be exchanged on regular interval of time however with DPD it is not like that.

If there is ongoing valid IPSec traffic between the two peers then there is no need for checking liveliness of tunnel.  The IPSec traffic itself serves as the proof of liveliness.  If a period of time lapses during which no packet exchange occurs, the liveliness of each peer can be checked.

If a peer support DPD then DPD vendor ID should be exchanged in ISAKMP phase 1. DPD ISAKMP Vendor ID payload is sent in message 1 and 2 of main mode and in message 1 and 2 of aggressive mode.

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!  HASHED_VENDOR_ID   !  Major  !  Minor  !
!                     ! Version ! Version !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Peer exchanges R-U-THERE and R-U-THERE-ACK. If Ack for R-U-THERE is not receieved then peer should delete IPSec SA, IKE SA.

Following is the message format:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload  !   RESERVED    !         Payload Length        !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!              Domain of Interpretation  (DOI)                  !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!  Protocol-ID  !    SPI Size   !      Notify Message Type      !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!                                                               !
~                Security Parameter Index (SPI)                 ~
!                                                               !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
!                    Notification Data                          !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

isakmp-dpd

Notify message type determine if the message is R-U-THERE or R-U-THERE-ACK.

DPD also uses sequence number to prevent from replay attack and also to keep track of messages exchanged.

 

Advertisements
This entry was posted in Networking and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s