Re: Heartbeats (was RE: keepalives)

[Ricky Charlet <rcharlet@redcreek.com>]

> I'm not sure what heartbeat packet is best, ISAKMP, transport ESP or
> 'hijacked' tunnelled ESP.  I think this is a new protocol but I don't think
> it justifies an SA of its own.  I think using an ISAKMP notification is best
> as most people seem to want this associated with the phase 1 SA.



	I'd like to see dead peer detection be in a dedicated IPsec SA pair per
peer pair. There are several good things about doing dead peer detection
this way:

 * If there are multiple IKE or IPsec SAs to same peer, only need one
'keepalive' session.

 * Allows IKE SAs to go away (or dangle the IPsec SAs) if an
implementation so wishes.

 * Does not interfere with packet counts or inactivity time outs of IKE
or other IPsec SAs.

 * IPsec may architecturally swap key management protocol without
worrying about loosing dead peer detection functions.

 * may be enabled or disabled per peer by policy



	Here is one negative that I can think of: If one peer reconfigures such
that some but not all current IPsec SAs become defunct, this scheme may
not detect that or may think all current SAs became defunct. This could
be engineered around with a dead peer recovery detection algorithm.

-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;

---

Follow-Ups:

• Re: Heartbeats (was RE: keepalives)
• From: Jan Vilhuber <vilhuber@cisco.com>

References:

• RE: Heartbeats (was RE: keepalives)
• From: Chris Trobridge <CTrobridge@baltimore.com>

---

• Prev by Date: RE: interpretation of SA bundle.
• Next by Date: A fix for main mode with preshared keys
• Prev by thread: RE: Heartbeats (was RE: keepalives)
• Next by thread: Re: Heartbeats (was RE: keepalives)
• Index(es):
  • Main
  • Thread