On Tue, Aug 11, 2020 at 01:22:22AM +0000, Roman Danyliw wrote: > > > > > ** Section 6.11.1.1.2. A mechanism for failed ACP detected using a > > > secure channel protocol is noted for IPSec (with IKEv2 Dead Peer > > > Detection). What is the equivalent for DTLS? > > > > Good question. If you know someone who could suggest an equivalent, please > > bring her in. Given how this is a performance optimization, i don't think we > > need to bother too much. I hope we can learn from > > implementation/deployment experience (i only hve that for IPsec) and then > > write update text later with such refinements. > > Sorry, I too don't have citable reference. Let's leave it as is.
DTLS heartbeats (RFC 6520) would probably be the closest thing to IKE dead peer detection, but it's not a perfect match. (Also, openssl removed all support for heartbeats recently-ish, even for DTLS; I guess heartbleed left too many painful memories.) -Ben _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
