[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Heartbeats (was RE: keepalives)
>>>>> "Stephane" == Stephane Beaulieu <sbeaulieu@TimeStep.com> writes:
>> But there are other reasons to do heartbeats. For example, if you
>> want to verify that the security gateway still knows about your
>> SAs (so you can negotiate new ones if the old ones have vanished
>> for some reason). As far as I can see, this "black hole
>> detection" is a valuable, perhaps the most valuable, benefit of
>> heartbeat.
Stephane> Paul,
Stephane> Is this really necessary though? Presumably if you sent
Stephane> traffic on an IPsec SA with a SPI that the gateway doesn't
Stephane> recognize, the gw will send you an authenticated
Stephane> INVALID_SPI notify, which should tell the Client that the
Stephane> IPsec SA is gone. Of course this requires the presence of
Stephane> a phase 1 SA. However, this is why the INVALID_SPI notify
Stephane> is there isn't it?
I don't think that will help.
First of all, the gateway may not have a phase 1 SA either.
Second, I think many gateways will adamantly refuse to send
invalid_spi notifies on the grounds that they aren't about to be
suckered into using a lot of resources to respond to such a trivial
DoS attack.
paul
References: