No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec DPD

IPsec DPD

DPD

IP connectivity between the peers may be lost due to routing problems or peer reloading. The IKE protocol has no peer detection function. If an IKE peer is unreachable, no measure can be taken other than waiting for the expiration of the SA lifetime. The SA remains until its lifetime expires. Unreachable SA peers can result in a black hole, resulting in data dropping. Generally, you need to identify and detect the black hole to restore IPsec communications.

The keepalive mechanism can address the preceding issue. According to the keepalive mechanism, IKE peers periodically exchange the Hello or ACK messages to inform the peers that they are active. However, if the number of IKE SAs is large, the Hello or ACK messages consume a large amount of CPU resources. In such circumstances, the keepalive mechanism is limited.

The Dead Peer Detect (DPD) mechanism is an alternative mechanism of keepalive. The DPD minimizes the number of messages used to detect the peer state by means of IPsec traffic. The DPD requires that the IKE peer state and the peer end state must be completely independent. When an IKE peer needs to learn whether the peer end is online, the IKE peer can send the request at any time instead of at the specified time interval. When normal IPsec traffic is transmitted between peers, the peer end is online. Therefore, it is unnecessary to send an extra detection message to detect whether the peer end is online. If no IPsec traffic is transmitted within a period of time, the local end can send a DPD message to detect the state of the peer end.

DPD provides two mode parameters: interval and on-demand.

interval indicates that DPD works in polling mode. If the local end does not receive traffic from the peer end within an interval specified by check-interval, the local end sends DPD packets at the interval. If the local end receives a response packet from the peer end, the DPD process ends and a new DPD period starts. If the local end does not receive a response packet from the peer end, the local end retransmits DPD packets. If the local end still does not receive a response packet from the peer end after the retransmission is complete, the local end deletes the local SA entries and performs the tunnel establishment process again.

on-demand indicates that DPD works in triggering mode. If the local end does not send any encrypted traffic, it does not send DPD packets. If the local end sends encrypted traffic but does not receive traffic from the peer end within an interval specified by check-interval, the local end sends DPD packets at the interval. If the local end receives a response packet from the peer end, the DPD process ends and a new DPD period starts. If the local end does not receive a response packet from the peer end, the local end retransmits DPD packets. If the local end still does not receive a response packet from the peer end after the retransmission is complete, the local end deletes the local SA entries and performs the tunnel establishment process again.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12788

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next