[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)



>>>>> "Ricky" == Ricky Charlet <rcharlet@redcreek.com> writes:

 Ricky> Howdy () Here are some thoughts I have come up with or
 Ricky> collected so far. It is mostly bad news...

 Ricky> * Unsecured heartbeats in the clear leave you open to DOS
 Ricky> attack as anybody can spoof you into thinking that your peer
 Ricky> is no-responsive.

How can you do that?  Clearly you can make a down peer appear up, but
I don't see how you can make an up peer appear down by spoofing
packets.

 Ricky> * Heatbeats in IKE will not fly for manual keys or if we ever
 Ricky> swap dynamic key maintenance from IKE to something else.

I don't see that manual keying is relevant.  By definition, with
manual keying you manually manage the SA states at both endpoints.  If 
it's manual then it's not automatic, not even a little bit.  So there
can never be any keying or SA maintenance protocol of any kind when
you're talking about manual keying.

Non-IKE?  The subject is keepalives in or for the benefit of IKE.  If
you're not doing IKE then you can solve the problem in that new
context, if you wish to (which presumably you will).

 Ricky> * Heartbeats in a seperate and dedicated IPsec or IKE channel
 Ricky> does not scale to the remote access problem.

 Ricky> * Heartbeats inline with existing IPsec SAs cause accounting
 Ricky> difficulties.

I don't agree.  If you have a clear way of recognizing heartbeat
messages then the accounting is obviously a non-issue.  The more basic 
issue, as Jan Vilhuber points out, it how to recognize such messages
without a lot of extra processing in the high speed data forwarding
path.

There's only one field I can see that will do this, but the price may
be too high.  Clearly every security gateway has to look at the "next
header" field.  So a new IP protocol number could be used for
heartbeats without forcing the IPSEC processor to look at anything it
isn't already looking at.  Whether the numbers authority is thrilled
about the notion of using up a number for this is another question...

	paul


Follow-Ups: References: