[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats draft available



Andrew Krywaniuk wrote:
>             Using Isakmp Heartbeats for Dead Peer Detection
>              <draft-krywaniuk-ipsec-heartbeats-00.txt>
> 
> Abstract
> 
>    This document describes a method for sending heartbeat packets
>    (sometimes called keep-alives) across an ISAKMP SA in order to detect
>    when a peer has crashed or has become otherwise unreachable. A method
>    for negotiating the heartbeat parameters is also provided.
> ---
> 
> Andrew

Howdy,
	So the list back in November/December spent alot of energy debating
between doing heart-beats in ISAKMP, or in-band in each IPsec SA, or
out-of-band in a seperate and dedicated IPsec SA. While I readily agree
that a simple tallying of the posts shows a majority arguing in favor of
doing heartbeats in ISAKMP, could you please spend a little time anyway
going over your justifications for this approach above the others.
	The biggest challenge I see is that doing heart beats in ISAKMP should
not be considered reliable since an implementation is not required to
keep its ISAKMP SAs around for the lifetime of its IPsec SAs. And an
unreliable heartbeat protocol seems like a poor idea.


--
  Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903


Follow-Ups: References: