[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heartbeats (summary of responses)
Ricky Charlet writes:
> > Tero, consider the case when 2 gateways have many (hundreds or
> > thousands) tunnels between them. Running phase 2 heartbeats for each
> > IPSec SA pair between gateways will not scale. You may suggest that
> > multiple IPSec tunnels between 2 IPSec gateways is not a terribly useful
> > configuration but it can be done. One the other hand phase 1 heartbeats
> > do not have the same problem.
If you have hundreds or thousands IPsec SA, and you dont want to run
heartbeats on all of them, why did you requested them in the first
place? There only way all of those 100-1000 SAs are sending those
heartbeat packets is bacause one end requested them on that SA. In
normal case gateway can just check that it already have one SA that is
sending heartbeat from that other gateway, I don't need yet another
one, so I don't request heartbeats now.
Also if you really have 100-1000 SAs between two gateways, then you
propably want to configure just one SA to send those heartbeats and
that SA doesn't do anything else.
> One extra dedicated pinging phase 2 SA pair per gateway pair scales
> even better in this scenario. But alas, this idea scales destrucivly
> when hundreds || thousands of clients want to connect to a gateway.
If we can request any phase 2 SA to also carry heartbeat packets
(provided it can move ICMP traffic in first place), then you can
either use only one dedicated SA between gateways, or you can use
normal traffic SAs between clients and gateways.
This kind of protocol allows you to have both setups, and the
adminstrator (or the implementator) can decide which way he wants them
to be.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
Follow-Ups:
References: