[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
Doing heartbeats over IKE SA or IPSec SA is not free - i.e. the gateway connected to 1000 Clients needs 1000 addtional heartbeat IPSec SAs
to negotiate and maintain - very ugly!
I am still not convinced about security implications of unsecure hearbeats - and would be interested in what people think.
"Michael C. Richardson" wrote:
> >>>>> "Jan" == Jan Vilhuber <vilhuber@cisco.com> writes:
> Jan> On Tue, 7 Dec 1999, Michael C. Richardson wrote:
> >> >>>>> "Walker," == Walker, Jesse <jesse.walker@intel.com> writes:
> >> Walker,> Why does it require a new DOI? Why can't we just define a new
> >> Walker,> "heartbeat" application using, e.g., UDP port X? By
> >> definition
> >>
> >> Actually, we don't even need to do that. You can use ICMP ping, or the
> >> UDP echo service.
>
> Jan> And how would you know if this is a 'heartbeat' or whether the user
> Jan> of the tunnel is pinging (icmp or udp echo, whatever), i.e. how do
> Jan> you distinguish this from real traffic?
>
> a) the user doesn't ping the internal interface of the gateway.
> b) who cares. If the user is alive, the user is alive.
>
> Jan> Why is that important? People want to account for things. They want
> Jan> to charge for things. If you skew the counts with bogus 'real
> Jan> traffic' (or don't count real traffic because you mistake it for
> Jan> bogus keepalive traffic), then your counts will be off.
>
> By 64 bytes per minute? Come on.
> TCP retransmits take more overhead than that.
>
> c) you make the heartbeat channel a seperate SA, as you suggested. You
> just don't need the new "service"
>
> Jan> existing ipsec tunnels for this, and also don't use any
> Jan> spoofed/special ipsec SA's for this. A totally different phase 2 SA
> Jan> is needed (does this translate into a new DOI? And would that
> Jan> really help? Beats me), or you use phase 1.
>
> 1. the phase 1 may be dropped. You user might want to do this as well
> as the gateway, as they may have limited ram (think PalmPilot). So
> the existence (or lack of) of an active IKE daemon doesn't mean
> that the user has gone.
>
> 2. who cares if the phase 1 SA is there. It is the phase 2 SA that you
> want to clean up.
>
> :!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
> Michael Richardson | Cow#2: No. I'm a duck.
> Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive Suite 513
Danvers, MA 01923
voice: 978-539-4816
http://www.ire.com
Follow-Ups:
References: