[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll



Bill

Thats a good idea, but from an implementation point of view, I am not
sure if I like the idea of maintaining a timestamp for every packet (SA
Used) through a tunnel.

I guess the problem I want to address with the heartbeats is dead-peer
detection, and as a result do action foo. INITIAL-CONTACT does help in
SADB sync'ing but is not authenticated and there is no assured delivery.
I think that Scotts point of auditing is a good side-effect of dead-peer
detection, and could also be tied to accounting, but I agree this is
outside the scope of the problem.

Scott


Bill Sommerfeld wrote:
> 
> > Yes, it was pointed out at the ipsra meeting that accounting is not a
> > requirement. However, what about auditing? For purposes of security
> > auditing, it is necessary to know when a remote access client
> > disconnects. Is this a valid requirement?
> 
> Wouldn't keeping track of the last time an SA was used, and logging it
> into your audit trail when the SA expires or is deleted, be sufficient
> for auditing purposes?
> 
>                                         - Bill


Follow-Ups: References: