[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)




>>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
    Slava> "Michael C. Richardson" wrote:

    >> I mean, if you have only one phase 2 SA, then you can use it. If you
    >> have multiple phase 2 SAs, or you have accounting issues, then you
    >> shouldn't mind creating an ICMP-only SA.  My use of "primary" was
    >> confusing.

    Slava> So, you advocating creating special ICMP heartbeat IPSec SA that
    Slava> terminates on the gateway (ESP/Transport)?  I thought you didn't
    Slava> like the overhead and complexity?

  No. I am suggesting that one should always try and use an existing SA,
but if there isn't one that satisfies the requirements, then create one if
you can afford to, or deal without heartbeat.
  I don't see any complexity, since you see the heartbeat coming out
of the descryption routines, and not even pass it to the routing engine.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.





Follow-Ups: References: