[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
>>>>> "Michael" == Michael C Richardson <mcr@sandelman.ottawa.on.ca> writes:
>>>>> "Bronislav" == Bronislav Kavsan <bkavsan@ire-ma.com> writes:
Bronislav> If gateway protects internal subnet
Bronislav> 199.34.57.0/255.255.255.0 and has internal address
Bronislav> 199.34.57 27 - how Client would know this internal gateway
Bronislav> address in order to ping it? Do you
Michael> My opinion is that clients don't do heartbeats, since they
Michael> don't have 2000 SAs that they want to track.
Paul> But there are other reasons to do heartbeats. For example, if you
Paul> want to verify that the security gateway still knows about your SAs
Paul> (so you can negotiate new ones if the old ones have vanished for some
Paul> reason). As far as I can see, this "black hole detection" is a
Paul> valuable, perhaps the most valuable, benefit of heartbeat.
If there is traffic flowing, then the SA is alive.
If you want to insert a ping, and need an address, and the ping will fit
into the SA in the first place, then ping the remote end of an open TCP
connection.
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
Follow-Ups:
References: