[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heartbeats (summary of responses)

To: ipsec@lists.tislabs.com
Subject: Re: heartbeats (summary of responses)
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Thu, 09 Dec 1999 10:08:27 -0800
CC: Leonard Schwartz <schwartz@xedia.com>, Tero Kivinen <kivinen@ssh.fi>, Slava Kavsan <bkavsan@ire-ma.com>, Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Organization: RedCreek Communications Inc.
References: <319A1C5F94C8D11192DE00805FBBADDFFFD5DC@exchange> <384F0B1F.7F005895@ire-ma.com> <199912090537.HAA16730@torni.ssh.fi> <384FD8D1.D462B77F@xedia.com>
Sender: owner-ipsec@lists.tislabs.com

Leonard Schwartz wrote:
> 
> Tero Kivinen wrote:
> 
> > Slava Kavsan writes:
> > > My vote goes to Phase1-based hearbeats using never-going-away IKE
> > > SAs (or skeletal ones for resource-restricted implementations - just
> > > enough to protect Informational messages).
> >
> > I don't think people want to implement "skeletal IKE SAs". More code,
> > more special cases, uncommon code path == untested code == lots of
> > bugs...
> >
> > BTW, I am not really happy having the IKE SA to transfer more and more
> > data. Currently the IKE can happily be in user mode and use software
> > encryption, because the amount of data to be transferred is that
> > small. If we start sending hearbeats inside the IKE message we also
> > might end up consuming our randomness quite fast. For each IKE message
> > we need to create random message id and a random nonce.
> >
> > > I would also like to suggest using Ack-ed NOTIFY mechanism and not
> > > to invent yet another scheme. Heartbeat management messages will
> > > also be useful.
> >
> > If we really want to have phase 1 heartbeat, I think one way notify
> > from both ends using negotiated interval is the right way to do.
> >
> > Anyways I think phase 2 heartbeats are the ones we want to move
> > forward, and preferredly we are using just normal ping packets to the
> > some ip-address of the other end.
> >
> 
> Tero, consider the case when 2 gateways have many (hundreds or
> thousands) tunnels between them. Running phase 2 heartbeats for each
> IPSec SA pair between gateways will not scale. You may suggest that
> multiple IPSec tunnels between 2 IPSec gateways is not a terribly useful
> configuration but it can be done. One the other hand phase 1 heartbeats
> do not have the same problem.

Howdy ()
	One extra dedicated pinging phase 2 SA pair per gateway pair scales
even better in this scenario. But alas, this idea scales destrucivly
when hundreds || thousands of clients want to connect to a gateway.


-- 
####################################
#  Ricky Charlet
#	(510) 795-6903
#	rcharlet@redcreek.com
####################################

end Howdy;

Follow-Ups:

Re: heartbeats (summary of responses)

From: Tero Kivinen <kivinen@ssh.fi>

References:

heartbeats (summary of responses)

From: Andrew Krywaniuk <akrywaniuk@TimeStep.com>

Re: heartbeats (summary of responses)

From: Slava Kavsan <bkavsan@ire-ma.com>

Re: heartbeats (summary of responses)

From: Tero Kivinen <kivinen@ssh.fi>

Re: heartbeats (summary of responses)

From: Leonard Schwartz <schwartz@xedia.com>

Prev by Date: Re: heartbeats (summary of responses)
Next by Date: RE: heartbeats (summary of responses)
Prev by thread: Re: heartbeats (summary of responses)
Next by thread: Re: heartbeats (summary of responses)
Index(es):
- Main
- Thread