RE: heartbeats (summary of responses)

[Andrew Krywaniuk <akrywaniuk@TimeStep.com>]

> > Tero, consider the case when 2 gateways have many (hundreds or
> > thousands) tunnels between them. Running phase 2 heartbeats for each
> > IPSec SA pair between gateways will not scale. You may suggest that
> > multiple IPSec tunnels between 2 IPSec gateways is not a 
> terribly useful
> > configuration but it can be done. One the other hand phase 
> 1 heartbeats
> > do not have the same problem.
> 
> Howdy ()
> 	One extra dedicated pinging phase 2 SA pair per gateway 
> pair scales
> even better in this scenario. But alas, this idea scales destrucivly
> when hundreds || thousands of clients want to connect to a gateway.

Hi, 

I don't understand this particular objection to SA-referenced heartbeats.
Yes, in the scenerio where you have thousands of SAs between two gateways,
it is much more efficient to have one dedicated host-referenced heartbeat
link, but it's just an economy of scale.

If you have thousands of SAs between two gateways then you've probably got
mega-giga-googlebit traffic going on that link, so 64 bytes per SA per
minute is going to get lost in the shuffle... Unless, of course, these are
transient SAs, in which case you should implement inactivity timeouts.

In the case of thousands of clients connecting to one gateway it's the same
thing. With one SA per peer, Host-referenced and SA-referenced heartbeats
give you essentially the same performance.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.

---

• Prev by Date: Re: heartbeats (summary of responses)
• Next by Date: Re: cookie verification
• Prev by thread: RE: heartbeats (summary of responses)
• Next by thread: RE: heartbeats (summary of responses)
• Index(es):
  • Main
  • Thread