[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
I doubt that many people will have IPSec SA from Client-to-Gateway that terminate on the gateway - and if this is the case - 1000 Clients
connected to the gateway will result in 1000 additional IPSec SAs on the gateway for heartbeat traffic. I don't think that this a good idea.
"Michael C. Richardson" wrote:
> >>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
> Slava> "Michael C. Richardson" wrote:
>
> >> I mean, if you have only one phase 2 SA, then you can use it. If you
> >> have multiple phase 2 SAs, or you have accounting issues, then you
> >> shouldn't mind creating an ICMP-only SA. My use of "primary" was
> >> confusing.
>
> Slava> So, you advocating creating special ICMP heartbeat IPSec SA that
> Slava> terminates on the gateway (ESP/Transport)? I thought you didn't
> Slava> like the overhead and complexity?
>
> No. I am suggesting that one should always try and use an existing SA,
> but if there isn't one that satisfies the requirements, then create one if
> you can afford to, or deal without heartbeat.
> I don't see any complexity, since you see the heartbeat coming out
> of the descryption routines, and not even pass it to the routing engine.
>
> :!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
> Michael Richardson | Cow#2: No. I'm a duck.
> Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive Suite 513
Danvers, MA 01923
voice: 978-539-4816
http://www.ire.com
Follow-Ups:
References: