RE: Heartbeats (was RE: keepalives)

[Paul Koning <pkoning@xedia.com>]

>>>>> "Stephane" == Stephane Beaulieu <sbeaulieu@TimeStep.com> writes:

 >> But there are other reasons to do heartbeats.  For example, if you
 >> want to verify that the security gateway still knows about your
 >> SAs (so you can negotiate new ones if the old ones have vanished
 >> for some reason).  As far as I can see, this "black hole
 >> detection" is a valuable, perhaps the most valuable, benefit of
 >> heartbeat.


 Stephane> Paul,

 Stephane> Is this really necessary though?  Presumably if you sent
 Stephane> traffic on an IPsec SA with a SPI that the gateway doesn't
 Stephane> recognize, the gw will send you an authenticated
 Stephane> INVALID_SPI notify, which should tell the Client that the
 Stephane> IPsec SA is gone.  Of course this requires the presence of
 Stephane> a phase 1 SA.  However, this is why the INVALID_SPI notify
 Stephane> is there isn't it?

I don't think that will help.

First of all, the gateway may not have a phase 1 SA either.

Second, I think many gateways will adamantly refuse to send
invalid_spi notifies on the grounds that they aren't about to be
suckered into using a lot of resources to respond to such a trivial
DoS attack.

	paul

---

References:

• RE: Heartbeats (was RE: keepalives)
• From: Stephane Beaulieu <sbeaulieu@TimeStep.com>

---

• Prev by Date: RE: Heartbeats (was RE: keepalives)
• Next by Date: Re: heartbeats (summary of responses)
• Prev by thread: RE: Heartbeats (was RE: keepalives)
• Next by thread: Re: Heartbeats (was RE: keepalives)
• Index(es):
  • Main
  • Thread