[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec SA DELETE in "dangling" implementation



>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:

 Tero> Jan Vilhuber writes:
 >> > - could we use (somehow) IPSec-based keep-alives You could, but
 >> it would introduce a 'special' ipsec packet, which I do not
 >> particularly care for. IPSEC shouldn't have to look at each packet
 >> and decide if this is a 'control packet' or if this is a regular
 >> packet.

 Tero> We already have that "special" packet. It is called ICMP echo
 Tero> (ping)... I don't think there is need to create another one. If
 Tero> we use IPsec based keep-alives, I think it should use normal
 Tero> ICMP echo (ping) packets.

I don't think that works in general.  What would you ping?  The
security gateway?  But the security policy for the SA may not have
that address as an allowed (inner) address.  Some random address
behind the security gateway?  But you can't in general pick one and
know that it will be up.

	paul


Follow-Ups: References: