[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
>>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
Slava> I doubt that many people will have IPSec SA from Client-to-Gateway
Slava> that terminate on the gateway - and if this is the case - 1000
Slava> Clients connected to the gateway will result in 1000 additional
Slava> IPSec SAs on the gateway for heartbeat traffic. I don't think that
Slava> this a good idea.
To the external address of the gateway, it is true.
However, I'll bet that 95% of cases will look something like this:
C<==================>Gw<------ A.B/16 ---->S (A.B.10.254)
1.1.1.2 3.4.5.6 A.B.1.1
With the tunnel being from C's assigned address to A.B/16. Note that this
will include the gateway's internal address A.B.1.1! If the gateway sends
the ping to 1.1.1.2 from A.B.1.1 that requires no new SA, and the client
will just respond to it and use the same routing it would for A.B.
If there are per-host or per-port SAs involved, then the gateway already
has a lot of SAs per client. If the gateway is not part of the A.B/16
network, it is conceivable that it might be "assigned" an address that does
appear to be on that network. Note: there isn't really any requirement that
the ping response even reach the Gw, so long as it traverses the Gw, and the
SAD entry is marked via some LRU algorithm, you can determine which SAs
have had traffic recently.
:!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
Michael Richardson | Cow#2: No. I'm a duck.
Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Follow-Ups:
References: