[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats (was RE: keepalives)




>>>>> "Paul" == Paul Koning <pkoning@xedia.com> writes:
    Paul> Well, in a high speed router you're DEFINITELY not going to observe
    Paul> packets to parse out TCP protocol operations.  Not unless you have to
    Paul> (e.g., if you're required to do stateful firewall work).

  You definitely *WILL* observe TCP protocols because you have to select 
the right SA!!! Multiple vendors build hardware to do already, some in O(1) time,
independant of the number of SAs.

    Paul> As for (b), I don't understand.

    Paul> The issue was, if I remember right: how can a security gateway do
    Paul> heartbeat by pinging?  

  And how does pinging help?

  by observing that when traffic goes out the "send" SA, something comes back
on the "receive" SA. You might want to actually see the ping packet itself,
but that isn't strictly necessary. Nice, certainly, as it is provides
protection against some pathological cases.

    Paul> If you mean that TCP will recover from temporary SA outages, that's
    Paul> true if the outage is short enough.  But one-sided loss of SA may last 
    Paul> for minutes or hours if there isn't a specific mechanism to recover.

  I'm curious about how one side loss of an SA works. Does one machine
involved in the SA "half-crash"? Or is this due to a receiver side of an SA
deciding that the hard k-byte limit was reached, and removing it, while the
sender still thinks it is good?

  One disadvantage of pinging between the client and *gateway* is that it
provides no protection against internal routing mishaps at headquarters. It
might be better to fall-over to another gateway entirely in that situation,
as it may have the appropriate internal connectivity. Without security
gateways in the way, this would occur naturally via routing updates (assuming
the ideal situation that the inside was routable from the outside).

  I'm not sure if having the client (road-warrior) ping the server really
helps for gateway/intranet fail-over, but I know that pinging the gateway
doesn't tell the client anything.

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [