RE: heartbeats (summary of responses)

[Chris Trobridge <CTrobridge@baltimore.com>]

> From: Tero Kivinen [mailto:kivinen@ssh.fi]
> Sent: 09 December 1999 21:43
> To: ipsec@lists.tislabs.com
> Subject: RE: heartbeats (summary of responses)
> 
> 
> Chris Trobridge writes:
> > Or IPSEC SAs that don't include the gateway addresses?
> 
> It doesn't matter, because the notify already includes the ip-address
> to use. There is no need to have gateways ip address anywhere. The
> ip-address given in the notify payload doesn't have to be one of the
> gateways, it can give any ip-address it wants, provided that it is
> covered by the quick mode selectors. 

The end that receives this notify has to transmit the ping though(?), and it
needs an address to ping from.  This would preferably be its own address,
unless your advocating the gateway spoofs a client address (I hope not!).
It would also need to be covered by a common quick mode selector.

One thing I've noticed is that while the 'public' IP address (the one used
to set up the ISAKMP SA) is known to each peer, the private addresses
aren't.

This is one of the reasons why I think the heart beats should transmitted
between gateway addresses directly.

Even if you give a client address to ping to, you're now testing whether
this address is up or not as well.  The availability requirement on the host
at this address means that it probably needs to be manually configured. eg
You shouldn't just scan through the local hosts on your selector until you
find one that responds to pings and offer that address.

I think that anything that relies on traffic going beyond the gateway is
only going to be useful in specific limited scenarios.

Chris

---

• Prev by Date: Re: cookie verification
• Next by Date: Re: ID payload on phase 2.
• Prev by thread: RE: heartbeats (summary of responses)
• Next by thread: RE: heartbeats (summary of responses)
• Index(es):
  • Main
  • Thread