[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats draft available

To: akrywani@newbridge.com
Subject: Re: Heartbeats draft available
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Wed, 22 Mar 2000 17:04:27 -0800
CC: "'Tero Kivinen'" <kivinen@ssh.fi>, "'Ricky Charlet'" <rcharlet@redcreek.com>, ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <319A1C5F94C8D11192DE00805FBBADDF010D13FC@exchange>
Sender: owner-ipsec@lists.tislabs.com

I don't know about you, but I'm very busy preparing for Adelaide - my
reply is abbreviated.

akrywani@newbridge.com wrote:

<extensively trimmed...>

> Finally, one of the requirements of the draft is to provide a flexible
> negotiation scheme for the heartbeats.

The draft never explicitly lists requirements, which makes this
discussion a bit strained. The points you refer to in an earlier post
are listed as goals, which normally come after an elucidation of
requirements. The draft should have an explicit requirements discussion,
so that we are certain that we are all talking about the same things.

> I think many people in this WG would agree that the absence of a
> standardized configuration protocol is hurting IPsec. Right now,
> ISAKMP-Config is the leading contender for that position, which is why I am
> proposing to use it.

This is a matter of opinion. It has been demonstrated that isa-cfg
attempts to duplicate functionality already provided by another
standardized configuration protocol. isa-cfg was originally proposed to
provide host configuration for remote access clients. It is not a
contender in ipsra for this function, so I would say it is largely an
artifact at this point. I think it's more likely that you are using it
simply because your product already supports it and because you wish to
see it proliferate regardless of its usefulness, and I think this is
wrong. 

I am not sure whether heartbeats belong in phase 1 or phase 2, and am
open to discussion on that point. However, I am sure that requiring
everyone to implement an artifact which would not likely become a
standard under any other circumstances is inappropriate. It is not at
all clear at this point that a negotiation facility is required for a
keep-alive or heartbeat mechanism - that is, I have yet to see any
requirements which bear this out. However, if it turns out that one is,
then I think that it should either be handled along with existing SA
attributes (perhaps in the same manner that lifetime is), or it should
be a new exchange. 
SA configuration in no way relates to IP host configuration (a la BOOTP
and DHCP), which is what isacfg attempts to provide, and there is no
compelling argument for mixing the two.

> Trying to avoid the issue of negotiation by way of a kludge like you are
> suggesting is a false economy. It may seem like a simple solution right now,
> but the sum of many simple, kludgy solutions equals one horrendous mess.

I didn't suggest anything, except that this is an SA feature or
attribute. Your comment is a bit misleading.

> BTW, I would consider heartbeats to be a feature of the connection, and not
> a feature of the SA. That is why I said that I didn't think it was important
> whether they were sent in phase 1 or phase 2.

The SA *is* the connection.

Scott

References:

RE: Heartbeats draft available

From: akrywani@newbridge.com

Prev by Date: RE: Heartbeats draft available
Next by Date: Re: Deleted Internet Drafts
Prev by thread: RE: Heartbeats draft available
Next by thread: Re: Heartbeats draft available
Index(es):
- Main
- Thread