[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)

To: Paul Koning <pkoning@xedia.com>
Subject: Re: Heartbeats (was RE: keepalives)
From: Srinivasa Rao Addepalli <srao@ibondinc.com>
Date: Mon, 06 Dec 1999 11:50:11 -0800
CC: kivinen@ssh.fi, vilhuber@cisco.com, akrywaniuk@TimeStep.com, ipsec@lists.tislabs.com
References: <319A1C5F94C8D11192DE00805FBBADDFFFC9A2@exchange> <Pine.SOL.3.96.991203175514.13824X-100000@jvilhube-ss20.cisco.com> <199912060143.DAA21299@torni.ssh.fi> <199912061510.KAA01564@tonga.xedia.com>
Sender: owner-ipsec@lists.tislabs.com

Paul Koning wrote:

> >>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
>
>  Tero> Jan Vilhuber writes:
>  >> What about this: when sending a phase1-heartbeat (where we still
>  >> need to agree what this would look like) from host A to host B,
>  >> why not include in it all SPI's that host A shares with host B. If
>  >> host B has a few SPI's that host A didn't include in the
>  >> heartbeat, then they are obviously deleted, and host B should
>  >> delete it's SPIS for those.
>
>  Tero> That could be one way to do it, but it only allows machine to
>  Tero> have 16376 SAs up at one time (64 kB packet limit at the UDP
>  Tero> level). I have been doing testing with bigger number of SAs
>  Tero> between hosts already now, and I wonder what amount of SAs we
>  Tero> have in 5-10 years....
>
>  Tero> Is that amount enough?
>
> 16k SAs between a single pair of security gateways?  The usual number
> is one.  Indeed, there have been some good arguments why it's unlikely
> that much more than that is useful.  (The classic argument for more is
> "so some data can be protected better than other".  But with decent
> crypto performance, a simpler solution is to protect everything to the
> maximum extent possible.)
>
> Can you give a scenario where thousands of SAs between a single pair
> of security gateways is necessary?

These are phase2 SAs and their number can be big if same gateways
are providing LAN-to-LAN connectivity. Phase 2 SAs are created for
differnet combinations of IP addresses and Ports,so they can be large.

In some implementations, memory is very premium and it may be very
difficult to send bigger UDP packets. In some implementations, all
the UDP data needs to be sent to the TCP/IP stack at once, and
it may not be able to allocate 64K byte memory block to store all
the phase2 SAs SPIs.

I feel, it is better to indicate which SAs are alive in the sender side
in more than one packet and at different times.

On receiving side, if it does not receive any keep alives for certain
period of time for SAs, then it will delete them.

>
>
>         paul

Regards
Srini

References:

RE: Heartbeats (was RE: keepalives)

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

RE: Heartbeats (was RE: keepalives)

From: Jan Vilhuber <vilhuber@cisco.com>

RE: Heartbeats (was RE: keepalives)

From: Tero Kivinen <kivinen@ssh.fi>

RE: Heartbeats (was RE: keepalives)

From: Paul Koning <pkoning@xedia.com>

Prev by Date: RE: Heartbeats (was RE: keepalives)
Next by Date: RE: IPSec SA DELETE in "dangling" implementation
Prev by thread: RE: Heartbeats (was RE: keepalives)
Next by thread: Re: Heartbeats (was RE: keepalives)
Index(es):
- Main
- Thread