Re: Heartbeats (was RE: keepalives)

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
>>>>> "Michael" == Michael C Richardson <mcr@sandelman.ottawa.on.ca> writes:
>>>>> "Bronislav" == Bronislav Kavsan <bkavsan@ire-ma.com> writes:

    Bronislav> If gateway protects internal subnet
    Bronislav> 199.34.57.0/255.255.255.0 and has internal address
    Bronislav> 199.34.57 27 - how Client would know this internal gateway
    Bronislav> address in order to ping it?  Do you

    Michael> My opinion is that clients don't do heartbeats, since they
    Michael> don't have 2000 SAs that they want to track.

    Paul> But there are other reasons to do heartbeats.  For example, if you
    Paul> want to verify that the security gateway still knows about your SAs
    Paul> (so you can negotiate new ones if the old ones have vanished for some
    Paul> reason).   As far as I can see, this "black hole detection" is a
    Paul> valuable, perhaps the most valuable, benefit of heartbeat.

  If there is traffic flowing, then the SA is alive.
  If you want to insert a ping, and need an address, and the ping will fit
into the SA in the first place, then ping the remote end of an open TCP
connection. 

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

---

Follow-Ups:

• Re: Heartbeats (was RE: keepalives)
• From: Paul Koning <pkoning@xedia.com>

References:

• Re: Heartbeats (was RE: keepalives)
• From: Paul Koning <pkoning@xedia.com>

---

• Prev by Date: RE: heartbeats (summary of responses)
• Next by Date: Re: cookie verification
• Prev by thread: Re: Heartbeats (was RE: keepalives)
• Next by thread: Re: Heartbeats (was RE: keepalives)
• Index(es):
  • Main
  • Thread