What is DPD?

Hello everyone,

This post will introduce the DPD peer detection technology in IPSec.

What is DPD?

Dead Peer Detection (DPD) is a mechanism to detect whether an IKE peer fails.

The IKE protocol itself does not provide a peer state detection mechanism. When a fault occurs between the IKE and IPSec peers, it cannot detect that the peer is unreachable. During the SA security period, the local traffic is still transmitted through the IPSec tunnel and is eventually discarded. Therefore, a function of detecting the failure of IKE peers is required.

Both Keepalives and Heartbeats (firewalls) can satisfy the function, but both Keepalives and Heartbeats periodically send probe traffic between IKE peers to inform each other that they are active, which consumes a lot of CPU resources and wastes bandwidth.

DPD is an alternative mechanism to Keepalives and Heartbeats. It is a mechanism to detect whether a peer is invalid based on traffic. It uses IPSec traffic to minimize the number of peer status messages detected.

How does DPD work

DPD is independent. DPD detection does not need to negotiate the detection interval with the peer, and the states of the peers are independent.

When there is IPSec traffic between peers, there is no need to prove whether the peer is online, and there is no need to send additional information to detect whether the peer is online. Only when there is no traffic for a period of time, will it doubt whether the peer end is online, then the local end will send a DPD message to confirm whether the peer end is online before sending traffic.

As mentioned above, DPD detection does not require negotiation and is independent of the peer, and each peer can have different DPD detection standards. For example, if peer A wants to quickly identify black holes to recover resources, the interval can be configured to be 10 seconds. If peer A wants to send traffic to peer B but does not receive traffic from peer B within 10 seconds, it can initiate a pair of DPD probes of peer B. Conversely, if peer B has a low requirement on the speed of identifying black holes, the interval can be configured to be 5 minutes. If the tunnel is idle for 5 minutes, when peer B needs to send traffic to peer A, it can initiate a DPD probe to peer A.

DPD mode

DPD has the following two detection modes

on-demand

Indicates that DPD works in traffic-triggered mode. If the local end does not send traffic, it will not send DPD packets. When the local end needs to send traffic to the peer end, if the last time the local end receives the traffic from the peer end exceeds the DPD idle time, the local end actively sends a DPD request packet to the peer end.

interval (called periodic in firewalls)

If the last time the local end receives traffic from the peer end exceeds the DPD idle time, the local end actively sends a DPD request packet to the peer end.

After the local end sends a DPD request message to the peer end, if it receives a response message from the peer end within the DPD message retransmission interval, the current DPD process ends. If no response message is received from the peer. The DPD request message will be retransmitted. If the DPD response message from the peer end is still not received, the peer end is considered to be offline, and the SA entry corresponding to the local end is deleted.

DPD message type

The DPD message type is ISAKMP NOTIFY, including R-U-THERE and R-U-THERE-ACK. R-U-THERE and R-U-THERE-ACK message structure is the same, the difference is the content of NOTIFY, with ACK. In addition, the sequence number of the response message must match the R-U-THERE.R-

The message structure defined by U-THERE is as follows,

DPD message interaction is as follows

DPD parameter introduction

DPD parameters are called differently on Huawei routers and firewalls.

On router

On firewall

That is all I want to share with you!