[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heartbeats (was RE: keepalives)

To: Paul Koning <pkoning@xedia.com>
Subject: RE: Heartbeats (was RE: keepalives)
From: Stephane Beaulieu <sbeaulieu@TimeStep.com>
Date: Thu, 9 Dec 1999 09:40:08 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> But there are other reasons to do heartbeats.  For example, if you
> want to verify that the security gateway still knows about your SAs
> (so you can negotiate new ones if the old ones have vanished for some
> reason).   As far as I can see, this "black hole detection" is a
> valuable, perhaps the most valuable, benefit of heartbeat.


Paul,

Is this really necessary though?  Presumably if you sent traffic on an IPsec
SA with a SPI that the gateway doesn't recognize, the gw will send you an
authenticated INVALID_SPI notify, which should tell the Client that the
IPsec SA is gone.  Of course this requires the presence of a phase 1 SA.
However, this is why the INVALID_SPI notify is there isn't it?

Stephane.

Follow-Ups:

RE: Heartbeats (was RE: keepalives)

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Re: Heartbeats (was RE: keepalives)
Next by Date: RE: Heartbeats (was RE: keepalives)
Prev by thread: Re: Heartbeats (was RE: keepalives)
Next by thread: RE: Heartbeats (was RE: keepalives)
Index(es):
- Main
- Thread