[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
Paul,
These are IPSec SAs
Paul Koning wrote:
> >>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
>
> Tero> Jan Vilhuber writes:
> >> What about this: when sending a phase1-heartbeat (where we still
> >> need to agree what this would look like) from host A to host B,
> >> why not include in it all SPI's that host A shares with host B. If
> >> host B has a few SPI's that host A didn't include in the
> >> heartbeat, then they are obviously deleted, and host B should
> >> delete it's SPIS for those.
>
> Tero> That could be one way to do it, but it only allows machine to
> Tero> have 16376 SAs up at one time (64 kB packet limit at the UDP
> Tero> level). I have been doing testing with bigger number of SAs
> Tero> between hosts already now, and I wonder what amount of SAs we
> Tero> have in 5-10 years....
>
> Tero> Is that amount enough?
>
> 16k SAs between a single pair of security gateways? The usual number
> is one. Indeed, there have been some good arguments why it's unlikely
> that much more than that is useful. (The classic argument for more is
> "so some data can be protected better than other". But with decent
> crypto performance, a simpler solution is to protect everything to the
> maximum extent possible.)
>
> Can you give a scenario where thousands of SAs between a single pair
> of security gateways is necessary?
>
> paul
--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive Suite 513
Danvers, MA 01923
voice: 978-539-4816
http://www.ire.com
References: