RE: Heartbeats (was RE: keepalives)

[Tero Kivinen <kivinen@ssh.fi>]

Paul Koning writes:
> 16k SAs between a single pair of security gateways?  The usual number

Not betwen gateways, between hosts. Usually that happens when you have
SA per port type of policy (i.e. different policy per user). 

> Can you give a scenario where thousands of SAs between a single pair
> of security gateways is necessary?

Large unix machine with about 4096 users, each using AH+ESP
(== 4 SAs pre tcp/ip connection), will give you more than 16k SAs...

Having machine that has 4096 users logged in, isn't that common, but I
wouldn't say it is impossible in 5 years...

BTW, the other machine is of course the www-proxy or the firewall
machine :-)

Anyways I dont think it is common thing, but I say we should think
about it at decide if we can accept such limit.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

---

References:

• RE: Heartbeats (was RE: keepalives)
• From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
• RE: Heartbeats (was RE: keepalives)
• From: Jan Vilhuber <vilhuber@cisco.com>
• RE: Heartbeats (was RE: keepalives)
• From: Tero Kivinen <kivinen@ssh.fi>
• RE: Heartbeats (was RE: keepalives)
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: Re: Incorporation of AES into IPSec
• Next by Date: Re: Incorporation of AES into IPSec
• Prev by thread: Re: Heartbeats (was RE: keepalives)
• Next by thread: Re: Heartbeats (was RE: keepalives)
• Index(es):
  • Main
  • Thread