[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats (was RE: keepalives)
>>>>> "Michael" == Michael Richardson <mcr@sandelman.ottawa.on.ca> writes:
>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
>>>>> "Michael" == Michael C Richardson <mcr@sandelman.ottawa.on.ca> writes:
Michael> My opinion is that clients don't do heartbeats, since they
Michael> don't have 2000 SAs that they want to track.
Paul> But there are other reasons to do heartbeats. For example, if
Paul> you want to verify that the security gateway still knows about
Paul> your SAs (so you can negotiate new ones if the old ones have
Paul> vanished for some reason). As far as I can see, this "black
Paul> hole detection" is a valuable, perhaps the most valuable,
Paul> benefit of heartbeat.
Michael> If there is traffic flowing, then the SA is alive. If you
Michael> want to insert a ping, and need an address, and the ping
Michael> will fit into the SA in the first place, then ping the
Michael> remote end of an open TCP connection.
Paul> The interesting case of course is where you are sending secured
Paul> traffic out but aren't receiving any back. So in that case you need a
Paul> heartbeat to decide what the situation is.
I agree. You aren't using TCP in that case, so you don't have a TCP-only
SA. It might be UDP, but it isn't RPC. You might be sending multicast, in
which case it makes no sense to have a heartbeat.
Paul> How can you ping the remote end of an open TCP connection? Routers
Paul> don't know anything about open TCP connections. There may not be any
Paul> open TCP connections, of course...
If you don't know about the TCP connections, then how did you open that
TCP-only SA?
] Out and about in Ottawa. hmmm... beer. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
Follow-Ups:
References: