[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)



Howdy ()
	Here are some thoughts I have come up with or collected so far. It is
mostly bad news...


 * Knowing that each IKE and IPsec SA is 'up' is overkill, we only need
to know if each peer is still reachable.

 * Unsecured heartbeats in the clear leave you open to DOS attack as
anybody can spoof you into thinking that your peer is no-responsive.

 * Heatbeats in IKE will not fly for manual keys or if we ever swap
dynamic key maintenance from IKE to something else.

 * Heartbeats in a seperate and dedicated IPsec or IKE channel does not
scale to the remote access problem.

 * Heartbeats inline with existing IPsec SAs cause accounting
difficulties.


Follow-Ups: References: