[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 596) Re: DPD patch


I forgot to send a patch for racoon.conf.5 and a few details about DPD
implementation in my last mail.

If racoon is compiled with DPD support, this feature will ALWAYS be
negociated (a specific vendor-id payload), and racoon will always
respond to peer's requests (even if DPD vendor-ID was not sent by peer
during negociation, I don't know if this may lead to some
problems/security flaws, don't think so).

If dpd_delay is set in remote statement, and if peers sends the DPD
vendor ID in phase 1, then DPD monitoring will be activated as soon as
the phase1 will be negociated.

A R_U_THERE (request) will be sent every <dpd_delay> seconds, and another
will be scheduled <dpd_retry> seconds later.

If the R_U_THERE_ACK (answer) is received before, the dpd_fail will be
reseted and a new request will be re_scheduled <dpd_delay> seconds

If the answer is not received, the fail counter is incremented, and a
check against <max_fails> is done.

If fail < max_fails, the new request is sent, and another one is
scheduled <dpd_retry> seconds later, etc....

If fail => max_fails, all phases 1 / 2 handlers for this peer are

--- racoon.conf.5	Mon Jul 26 11:00:30 2004
+++ ../racoon-20040719a.orig/racoon.conf.5	Tue Jul 20 16:22:28 2004
@@ -423,29 +423,6 @@
 The default value is
 .Ic off .
-.It Ic dpd_delay Ar delay ;
-This option activates the DPD and sets the time (in seconds) allowed
-between 2 proofs of liveness requests.
-The default value is
-.Ic 0,
-which disables DPD monitoring, but still negociates DPD support.
-.It Ic dpd_retry Ar delay ;
-.Ic dpd_delay
-is set, this sets the delay (in seconds) to wait for a proof of
-liveness before considering it as failed and send another request.
-The default value is
-.Ic 5.
-.It Ic dpd_maxfail Ar number ;
-.Ic dpd_delay
-is set, this sets the maximum number of proof of liveness to request
-(without reply) before considering the peer is dead.
-The default value is
-.Ic 5.
 .It Ic nonce_size Ar number ;
 define the byte size of nonce value.
 Racoon can send any value although