[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
On Tue, 7 Dec 1999, Michael C. Richardson wrote:
>
> >>>>> "Walker," == Walker, Jesse <jesse.walker@intel.com> writes:
> Walker,> Why does it require a new DOI? Why can't we just define a new
> Walker,> "heartbeat" application using, e.g., UDP port X? By definition
>
> Actually, we don't even need to do that. You can use ICMP ping, or
> the UDP echo service.
>
And how would you know if this is a 'heartbeat' or whether the user of the
tunnel is pinging (icmp or udp echo, whatever), i.e. how do you distinguish
this from real traffic?
Why is that important? People want to account for things. They want to charge
for things. If you skew the counts with bogus 'real traffic' (or don't count
real traffic because you mistake it for bogus keepalive traffic), then your
counts will be off.
You really have to have a quick and easy and uncomplicated way of determining
if this is real traffic or not. The best way is to keep it completely
separate from ipsec traffic, which means don't use any existing ipsec tunnels
for this, and also don't use any spoofed/special ipsec SA's for this. A
totally different phase 2 SA is needed (does this translate into a new DOI?
And would that really help? Beats me), or you use phase 1.
jan
> Walker,> (and perhaps port number) used in the service. Why does this
> Walker,> have to be any different than restricting end-to-end traffic on
> Walker,> the SA to TCP port 23?
>
> I think that some gateways have not implemented all of these features, but
> I think that's their problem.
> I would still like to see an "IKE ping" facility added that is valid even
> without a phase 1 SA for debugging purposes.
>
> :!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
> Michael Richardson | Cow#2: No. I'm a duck.
> Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
Follow-Ups:
References: