[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)

To: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Subject: Re: Heartbeats (was RE: keepalives)
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Tue, 7 Dec 1999 19:04:30 -0800 (PST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <199912080230.VAA13424@istari.sandelman.ottawa.on.ca>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 7 Dec 1999, Michael C. Richardson wrote:
> 
> >>>>> "Jan" == Jan Vilhuber <vilhuber@cisco.com> writes:
>     Jan> On Tue, 7 Dec 1999, Michael C. Richardson wrote:
>     >> >>>>> "Walker," == Walker, Jesse <jesse.walker@intel.com> writes:
>     >> Walker,> Why does it require a new DOI? Why can't we just define a new
>     >> Walker,> "heartbeat" application using, e.g., UDP port X? By
>     >> definition
>     >> 
>     >> Actually, we don't even need to do that. You can use ICMP ping, or the
>     >> UDP echo service.
> 
>     Jan> And how would you know if this is a 'heartbeat' or whether the user
>     Jan> of the tunnel is pinging (icmp or udp echo, whatever), i.e. how do
>     Jan> you distinguish this from real traffic?
> 
>   a) the user doesn't ping the internal interface of the gateway.
>   b) who cares. If the user is alive, the user is alive.
> 
>     Jan> Why is that important? People want to account for things. They want
>     Jan> to charge for things. If you skew the counts with bogus 'real
>     Jan> traffic' (or don't count real traffic because you mistake it for
>     Jan> bogus keepalive traffic), then your counts will be off.
> 
>   By 64 bytes per minute? Come on.

You'd be surprised how picky some customers are... I could tell you stories
from PPP accounting that would make you puke...

jan



>   TCP retransmits take more overhead than that.
>   
>   c) you make the heartbeat channel a seperate SA, as you suggested. You
> just don't need the new "service"
> 
>     Jan> existing ipsec tunnels for this, and also don't use any
>     Jan> spoofed/special ipsec SA's for this. A totally different phase 2 SA
>     Jan> is needed (does this translate into a new DOI?  And would that
>     Jan> really help? Beats me), or you use phase 1.
> 
>   1. the phase 1 may be dropped. You user might want to do this as well
>      as the gateway, as they may have limited ram (think PalmPilot). So
>      the existence (or lack of) of an active IKE daemon doesn't mean 
>      that the user has gone.
> 
>   2. who cares if the phase 1 SA is there. It is the phase 2 SA that you
>      want to clean up.
> 
>    :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
>    Michael Richardson |  Cow#2: No. I'm a duck.
>  Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

References:

Re: Heartbeats (was RE: keepalives)

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: RE: A fix for main mode with preshared keys
Next by Date: Re: Heartbeats (was RE: keepalives)
Prev by thread: Re: Heartbeats (was RE: keepalives)
Next by thread: Re: Heartbeats (was RE: keepalives)
Index(es):
- Main
- Thread