[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)

Subject: Re: Heartbeats (was RE: keepalives)
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Wed, 08 Dec 1999 14:22:06 -0800
CC: ipsec@lists.tislabs.com
Organization: RedCreek Communications Inc.
References: <319A1C5F94C8D11192DE00805FBBADDFFFD4D4@exchange>
Sender: owner-ipsec@lists.tislabs.com

Andrew Krywaniuk wrote:
> 
> >  Ricky> * Unsecured heartbeats in the clear leave you open to DOS
> >  Ricky> attack as anybody can spoof you into thinking that your peer
> >  Ricky> is no-responsive.
> >
> > How can you do that?  Clearly you can make a down peer appear up, but
> > I don't see how you can make an up peer appear down by spoofing
> > packets.
> 
<<trim>>
> Obviously we can't deal with the non-responsiveness issue. The only way to
> spoof non-responsiveness is for the attacker to remove packets from the
> wire, and if they can do that then they don't need any help effecting a DoS
> attack.
<<trim>>
> 
> Andrew



Howdy ()

	OK. I call in an official "nevermind" on that DOS suceptibility
statment above.

	But I also disagree with the idea that the goal of our heartbeat is for
IKE's benefit alone. This discussion certianly started because we were
debating IKE continous move Vs. dangeling implementations and IKE
heartbeats were originally suggested as a way to help us clean up IKE
state more confidently when we can know that a peer is nolonger
responsive. But others have mentioned, and I agree, that heartbeat or
dead-peer-detection should serve other purposes as well and among these
are fail-over action triggering, and alert generation. This is not to
say that dead-peer-detection cannot be within IKE. I am just trying to
get the list to consider that we do have more options and should examine
them.
	
	I did find Slava's observation that a seperate channel for heartbeats
does not scale to large remote access scenarios devastating to my
advocating for seperate channel IPsec SAs. I have to admit that I was
thinking of gatway to gatway environments.

	In my mind, this leaves heartbeats in-channel, inside of IKE or
heartbeats in the clear as the only contenders left. What do y'all
think?


-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;

References:

RE: Heartbeats (was RE: keepalives)

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Prev by Date: Re: Heartbeats (was RE: keepalives)
Next by Date: Re: Heartbeats (was RE: keepalives)
Prev by thread: RE: Heartbeats (was RE: keepalives)
Next by thread: RE: Heartbeats (was RE: keepalives)
Index(es):
- Main
- Thread