[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)



If gateway protects internal subnet 199.34.57.0/255.255.255.0 and has internal address 199.34.57 27 - how Client would know this internal
gateway address in order to ping it?
 Do you suggest have this configure this address in the Policy? I bet you will not find to many product that do this - most (if not all)
only know the gateway by it's external address.

"Michael C. Richardson" wrote:

> >>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
>     Slava> I doubt that many people will have IPSec SA from Client-to-Gateway
>     Slava> that terminate on the gateway - and if this is the case - 1000
>     Slava> Clients connected to the gateway will result in 1000 additional
>     Slava> IPSec SAs on the gateway for heartbeat traffic. I don't think that
>     Slava> this a good idea.
>
>   To the external address of the gateway, it is true.
>
>   However, I'll bet that 95% of cases will look something like this:
>
>   C<==================>Gw<------ A.B/16 ---->S (A.B.10.254)
>   1.1.1.2       3.4.5.6  A.B.1.1
>
>   With the tunnel being from C's assigned address to A.B/16. Note that this
> will include the gateway's internal address A.B.1.1! If the gateway sends
> the ping to 1.1.1.2 from A.B.1.1 that requires no new SA, and the client
> will just respond to it and use the same routing it would for A.B.
>
>   If there are per-host or per-port SAs involved, then the gateway already
> has a lot of SAs per client. If the gateway is not part of the A.B/16
> network, it is conceivable that it might be "assigned" an address that does
> appear to be on that network. Note: there isn't really any requirement that
> the ping response even reach the Gw, so long as it traverses the Gw, and the
> SAD entry is marked via some LRU algorithm, you can determine which SAs
> have had traffic recently.
>
>    :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
>    Michael Richardson |  Cow#2: No. I'm a duck.
>  Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.




Follow-Ups: References: