[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: heartbeats (summary of responses)

To: ipsec@lists.tislabs.com
Subject: RE: heartbeats (summary of responses)
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 9 Dec 1999 23:42:34 +0200 (EET)
In-Reply-To: <1FD60AE4DB6CD2118C420008C74C27B81D0034@baltimore.com>
Organization: SSH Communications Security Oy
References: <1FD60AE4DB6CD2118C420008C74C27B81D0034@baltimore.com>
Sender: owner-ipsec@lists.tislabs.com

Chris Trobridge writes:
> > > The other one will then start sending those packets using 
> > that SA just
> > > negotiated. The ip address must be from the range that is covered by
> > > the quick mode selectors.
> > Interesting idea. Question: how do you send ICMP heartbeats 
> > on IPSec SAs that are restricted to TCP-only or UDP-only protocols?

If you are doing TCP/UDP based policies, then you propably have
multiple SAs between hosts anyways, so you can instead create one SA
just for ICMP traffic (i.e. create one SA only for ICMP traffic, and
request heartbeats only from that SA). 

> Or IPSEC SAs that don't include the gateway addresses?

It doesn't matter, because the notify already includes the ip-address
to use. There is no need to have gateways ip address anywhere. The
ip-address given in the notify payload doesn't have to be one of the
gateways, it can give any ip-address it wants, provided that it is
covered by the quick mode selectors. 
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

RE: heartbeats (summary of responses)

From: Chris Trobridge <CTrobridge@baltimore.com>

Prev by Date: Re: cookie verification
Next by Date: Re: heartbeats (summary of responses)
Prev by thread: RE: heartbeats (summary of responses)
Next by thread: RE: heartbeats (summary of responses)
Index(es):
- Main
- Thread