Re: heartbeats (summary of responses)

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Slava" == Slava Kavsan <bkavsan@ire-ma.com> writes:
    Slava> Tero Kivinen wrote:

    >> The other one will then start sending those packets using that SA just
    >> negotiated. The ip address must be from the range that is covered by
    >> the quick mode selectors.

    Slava> Tero,

    Slava> Interesting idea. Question: how do you send ICMP heartbeats on
    Slava> IPSec SAs that are restricted to TCP-only or UDP-only protocols?

  a) You don't.
     In the case that you have such restricted SAs, you probably have a lot
     of them, and a heartbeat SA won't kill you. Or you do without
     heartbeats, and depend upon the reception of traffic from the other end
     (TCP will retransmit) to infer that the other end is alive.
 
  b) You have the general problem with these restricted SAs that it doesn't
     accomodate ICMP error messages (i.e. host unreachable) so you can't even
     detect if the end-host is down, and you should fail-over. I've written
     extensively about this, so I won't say anymore.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

---

References:

• Re: heartbeats (summary of responses)
• From: Slava Kavsan <bkavsan@ire-ma.com>

---

• Prev by Date: Re: heartbeats (summary of responses)
• Next by Date: Re: Heartbeats (was RE: keepalives)
• Prev by thread: Re: heartbeats (summary of responses)
• Next by thread: Re: heartbeats (summary of responses)
• Index(es):
  • Main
  • Thread