Re: IPSec SA DELETE in "dangling" implementation

[Jan Vilhuber <vilhuber@cisco.com>]

On Mon, 6 Dec 1999, Tero Kivinen wrote:
> Jan Vilhuber writes:
> > On Fri, 3 Dec 1999, Tero Kivinen wrote:
> > > We already have that "special" packet. It is called ICMP echo
> > > (ping)... I don't think there is need to create another one. If we use
> > > IPsec based keep-alives, I think it should use normal ICMP echo (ping)
> > > packets.
> > 
> > You can't do that, since that would run up the packet/byte counts, which some
> > people want to do accounting on and charge the customer for.
> 
> How about counting the bytes/packets only if they are routed through
> the gateway, not if they are destinationed to the gateway.
> 
Won't work either, since you might hav l2tp terminated in this box, so those
packets don't get routed through the gateway, they terminate there (the
contents get decapsulated and routed, but not the l2tp packets.

> You have to do special code for the special packets for the accounting
> anyways, so you can also detect that this is normal ping packet
> destinationed to the gateway, and if so, do not add it to the counts.
> If you use ping packets, and you are not doing accounting you don't
> have to do anything special, everything works immediately. 

That's too much special casing in an already too complex protocol.

jan
 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

---

References:

• Re: IPSec SA DELETE in "dangling" implementation
• From: Tero Kivinen <kivinen@ssh.fi>

---

• Prev by Date: Re: Incorporation of AES into IPSec
• Next by Date: RE: Heartbeats (was RE: keepalives)
• Prev by thread: Re: IPSec SA DELETE in "dangling" implementation
• Next by thread: Re: IPSec SA DELETE in "dangling" implementation
• Index(es):
  • Main
  • Thread