RE: Heartbeats (was RE: keepalives)

[Tero Kivinen <kivinen@ssh.fi>]

Jan Vilhuber writes:
> What about this: when sending a phase1-heartbeat (where we still need to
> agree what this would look like) from host A to host B, why not include in it
> all SPI's that host A shares with host B. If host B has a few SPI's that host
> A didn't include in the heartbeat, then they are obviously deleted, and host
> B should delete it's SPIS for those.

That could be one way to do it, but it only allows machine to have
16376 SAs up at one time (64 kB packet limit at the UDP level). I
have been doing testing with bigger number of SAs between hosts
already now, and I wonder what amount of SAs we have in 5-10 years....

Is that amount enough?
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

Follow-Ups:

• RE: Heartbeats (was RE: keepalives)
• From: Paul Koning <pkoning@xedia.com>
• Re: Heartbeats (was RE: keepalives)
• From: "Todd Glassey" <Todd@CertifiedTime.com>
• RE: Heartbeats (was RE: keepalives)
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• RE: Heartbeats (was RE: keepalives)
• From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
• RE: Heartbeats (was RE: keepalives)
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: Re: IPSec SA DELETE in "dangling" implementation
• Next by Date: Re: Incorporation of AES into IPSec
• Prev by thread: RE: Heartbeats (was RE: keepalives)
• Next by thread: RE: Heartbeats (was RE: keepalives)
• Index(es):
  • Main
  • Thread