[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
On Tue, 7 Dec 1999, Ricky Charlet wrote:
>
> > I'm not sure what heartbeat packet is best, ISAKMP, transport ESP or
> > 'hijacked' tunnelled ESP. I think this is a new protocol but I don't think
> > it justifies an SA of its own. I think using an ISAKMP notification is best
> > as most people seem to want this associated with the phase 1 SA.
>
>
>
> I'd like to see dead peer detection be in a dedicated IPsec SA pair per
> peer pair. There are several good things about doing dead peer detection
> this way:
>
This would require a new DOI, no? It's a dedicated phase 2 SA, but it's not
(I claim) an ipsec SA. So a new DOI is needed.
jan
> * If there are multiple IKE or IPsec SAs to same peer, only need one
> 'keepalive' session.
>
> * Allows IKE SAs to go away (or dangle the IPsec SAs) if an
> implementation so wishes.
>
> * Does not interfere with packet counts or inactivity time outs of IKE
> or other IPsec SAs.
>
> * IPsec may architecturally swap key management protocol without
> worrying about loosing dead peer detection functions.
>
> * may be enabled or disabled per peer by policy
>
>
>
> Here is one negative that I can think of: If one peer reconfigures such
> that some but not all current IPsec SAs become defunct, this scheme may
> not detect that or may think all current SAs became defunct. This could
> be engineered around with a dead peer recovery detection algorithm.
>
> --
> ####################################
> # Ricky Charlet
> # (510) 795-6903
> # rcharlet@redcreek.com
> ####################################
>
> end Howdy;
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: