[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
If gateway protects internal subnet 199.34.57.0/255.255.255.0 and has internal address 199.34.57 27 - how Client would know this internal
gateway address in order to ping it?
Do you suggest have this configure this address in the Policy? I bet you will not find to many product that do this - most (if not all)
only know the gateway by it's external address.
"Michael C. Richardson" wrote:
> >>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
> Slava> I doubt that many people will have IPSec SA from Client-to-Gateway
> Slava> that terminate on the gateway - and if this is the case - 1000
> Slava> Clients connected to the gateway will result in 1000 additional
> Slava> IPSec SAs on the gateway for heartbeat traffic. I don't think that
> Slava> this a good idea.
>
> To the external address of the gateway, it is true.
>
> However, I'll bet that 95% of cases will look something like this:
>
> C<==================>Gw<------ A.B/16 ---->S (A.B.10.254)
> 1.1.1.2 3.4.5.6 A.B.1.1
>
> With the tunnel being from C's assigned address to A.B/16. Note that this
> will include the gateway's internal address A.B.1.1! If the gateway sends
> the ping to 1.1.1.2 from A.B.1.1 that requires no new SA, and the client
> will just respond to it and use the same routing it would for A.B.
>
> If there are per-host or per-port SAs involved, then the gateway already
> has a lot of SAs per client. If the gateway is not part of the A.B/16
> network, it is conceivable that it might be "assigned" an address that does
> appear to be on that network. Note: there isn't really any requirement that
> the ping response even reach the Gw, so long as it traverses the Gw, and the
> SAD entry is marked via some LRU algorithm, you can determine which SAs
> have had traffic recently.
>
> :!mcr!: | Cow#1: Are you worried about getting Mad Cow Disease?
> Michael Richardson | Cow#2: No. I'm a duck.
> Home: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Follow-Ups:
References: