[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)

To: ipsec@lists.tislabs.com
Subject: Re: Heartbeats (was RE: keepalives)
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Wed, 08 Dec 1999 14:49:06 -0500
In-Reply-To: Your message of "Wed, 08 Dec 1999 09:17:12 EST." <384E6868.BC59AFAD@ire-ma.com>
Sender: owner-ipsec@lists.tislabs.com


>>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
    Slava> Doing heartbeats over IKE SA or IPSec SA is not free - i.e. the
    Slava> gateway connected to 1000 Clients needs 1000 addtional heartbeat
    Slava> IPSec SAs to negotiate and maintain - very ugly!

  I agree. 
  I would advocate in the gateway->client case sending an ICMP ping to the
client's internal address, from the gateway's internal address on the primary 
phase 2 SA. This ought to fit into the typical setup's SPD.

    Slava> I am still not convinced about security implications of unsecure
    Slava> hearbeats - and would be interested in what people think.

  I'm not suggesting that heartbeats be insecure. Rather than IKE needs
something to help debugging.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.

Follow-Ups:

Re: Heartbeats (was RE: keepalives)

From: Slava Kavsan <bkavsan@ire-ma.com>

Re: Heartbeats (was RE: keepalives)

From: "Derrell D. Piper" <ddp@network-alchemy.com>

References:

Re: Heartbeats (was RE: keepalives)

From: Slava Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: cookie verification
Next by Date: RE: Heartbeats (was RE: keepalives)
Prev by thread: Re: Heartbeats (was RE: keepalives)
Next by thread: Re: Heartbeats (was RE: keepalives)
Index(es):
- Main
- Thread