[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
Howdy ()
Here are some thoughts I have come up with or collected so far. It is
mostly bad news...
* Knowing that each IKE and IPsec SA is 'up' is overkill, we only need
to know if each peer is still reachable.
* Unsecured heartbeats in the clear leave you open to DOS attack as
anybody can spoof you into thinking that your peer is no-responsive.
* Heatbeats in IKE will not fly for manual keys or if we ever swap
dynamic key maintenance from IKE to something else.
* Heartbeats in a seperate and dedicated IPsec or IKE channel does not
scale to the remote access problem.
* Heartbeats inline with existing IPsec SAs cause accounting
difficulties.
Follow-Ups:
References: