[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)

To: ipsec@lists.tislabs.com
Subject: Re: Heartbeats (was RE: keepalives)
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Tue, 07 Dec 1999 21:30:57 -0500
In-Reply-To: Your message of "Tue, 07 Dec 1999 17:03:28 PST." <Pine.SOL.3.96.991207165850.21761n-100000@jvilhube-ss20.cisco.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Jan" == Jan Vilhuber <vilhuber@cisco.com> writes:
    Jan> On Tue, 7 Dec 1999, Michael C. Richardson wrote:
    >> >>>>> "Walker," == Walker, Jesse <jesse.walker@intel.com> writes:
    >> Walker,> Why does it require a new DOI? Why can't we just define a new
    >> Walker,> "heartbeat" application using, e.g., UDP port X? By
    >> definition
    >> 
    >> Actually, we don't even need to do that. You can use ICMP ping, or the
    >> UDP echo service.

    Jan> And how would you know if this is a 'heartbeat' or whether the user
    Jan> of the tunnel is pinging (icmp or udp echo, whatever), i.e. how do
    Jan> you distinguish this from real traffic?

  a) the user doesn't ping the internal interface of the gateway.
  b) who cares. If the user is alive, the user is alive.

    Jan> Why is that important? People want to account for things. They want
    Jan> to charge for things. If you skew the counts with bogus 'real
    Jan> traffic' (or don't count real traffic because you mistake it for
    Jan> bogus keepalive traffic), then your counts will be off.

  By 64 bytes per minute? Come on.
  TCP retransmits take more overhead than that.
  
  c) you make the heartbeat channel a seperate SA, as you suggested. You
just don't need the new "service"

    Jan> existing ipsec tunnels for this, and also don't use any
    Jan> spoofed/special ipsec SA's for this. A totally different phase 2 SA
    Jan> is needed (does this translate into a new DOI?  And would that
    Jan> really help? Beats me), or you use phase 1.

  1. the phase 1 may be dropped. You user might want to do this as well
     as the gateway, as they may have limited ram (think PalmPilot). So
     the existence (or lack of) of an active IKE daemon doesn't mean 
     that the user has gone.

  2. who cares if the phase 1 SA is there. It is the phase 2 SA that you
     want to clean up.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.

Follow-Ups:

Re: Heartbeats (was RE: keepalives)

From: Jan Vilhuber <vilhuber@cisco.com>

Re: Heartbeats (was RE: keepalives)

From: Bronislav Kavsan <bkavsan@ire-ma.com>

Re: Heartbeats (was RE: keepalives)

From: Slava Kavsan <bkavsan@ire-ma.com>

References:

Re: Heartbeats (was RE: keepalives)

From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: Heartbeats (was RE: keepalives)
Next by Date: RE: A fix for main mode with preshared keys
Prev by thread: Re: Heartbeats (was RE: keepalives)
Next by thread: Re: Heartbeats (was RE: keepalives)
Index(es):
- Main
- Thread