Hi Gerhard, ----- 原始邮件 ----- 发件人: Gerhard Muenz <[email protected]> 日期: 2009年 8月 3日, 星期一, 上午4:03 主题: Re: Missing dead peer detection in DTLS (Gerhard Muenz) 收件人: fenghongyan <[email protected]> 抄送: [email protected]
> Hi Linda, > > fenghongyan wrote: > > Hi, Gerhard > > > > Thanks for your comments, I read the proposals, I can see it's a > good idea to solve the dtls/udp's flaw. > > "time-out" is a solution, but it's disadvantage here is hard to > decide an appropriate least round trip times, > > A short "time-out" will cost the dtls client large calculation > expense. Providing a "heart-beat" solution > > the sender needn't renegotiation at each round trip time of > "heart-beat", which may set > > a longer resume-session time and renegotiation time according to > its strategy. > > I prefer a "heart-beat" solution than a "time-out" solution for > this issue. > > > > The only thing left here for syslog-dlts is if we need specific > using "heart-beat" in a syslog-dtls proposal? > > The DTLS heartbeat extension is an individual draft which has been > presented in the TLS WG session on Friday. Some reactions were that such > an extension could be useful, not only for DTLS but also for TLS where > detecting a timed out TCP connection may take a very long time. However, > it's not clear if the TLS WG will support the draft. If not, you will > have problems to use it for syslog-dtls. It's the same for IPFIX. > > > It's a problem of dtls/udp, which can be fixed in the > implementation of dtls and as a part of dtls protocol. > > I share this opinion. I think that DTLS for UDP would generally profit > from such an extension. Without, DTLS for UDP is of limited utility. > > > There's anything need syslog-dtls to do to support it? what's your > consideration? > > Not sure. We have not tried the corresponding OpenSSL patch yet. Maybe > the application (e.g. syslog) has to trigger the Heartbeat. > yeah, I see that in source code has not yet support trigger for application. What I considered are the issues for dtls-udp. I don't know too much of ipfix, are there more than one exporter need export data to one collector? There may many syslog sender send logs to one receiver, which brings up an issue of dtls-udp. I wrote it in my proposal, in 5.3 as session demultiplexing. I think if the ipfix collector need support multiple exporter, ipfix need also support session demultiplexing, but I didn't see that in your proposal, what's your consideration? Linda > Regards, > Gerhard > > > Thanks > > Linda > > -- > Dipl.-Ing. Gerhard Münz > Chair for Network Architectures and Services (I8) > Technische Universität München - Department of Informatics > Boltzmannstr. 3, 85748 Garching bei München, Germany > Phone: +49 89 289-18008 Fax: +49 89 289-18033 > E-mail: [email protected] WWW: http://www.net.in.tum.de/~muenz > > > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
