[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

>>>>> "Skip" == Skip Booth <ebooth@cisco.com> writes:
    Skip> This is a fair proposal and one that has been made before if memory
    Skip> serves me correctly.  It is simply a keepalive mechanism, albeit
    Skip> one that doesn't require any change to IKE which is probably a good
    Skip> thing.  However it does double the number of SAs a box must
    Skip> terminate in the remote access scenario.

  The source address of the ICMP ping that the gateway sends can be whatever
is necessary to fit into the existing SA.
  If the existing SA is a protocol specific, or port-specific SA that does
not permit ICMP, then you can't use this. I do not believe that there are any
currently deployed situations where people are using such policies, and I
have long argued that certain ICMP should permitted by such a policy in any

    >>  The really interesting question, to me, is what should happen when a
    >> new SA is created with the same SPD data as an existing one.  That is,
    >> what happens when one side thinks things are dead and tries to create
    >> a new SA, while the other side thinks things are fine.  That can
    >> happen with my proposal and with keep-alives -- the condition that
    >> creates any sort of keep-alive failure is a loss of communications.

    Skip> I would hope the original is destroyed.  This really shouldn't be
    Skip> any different than a new phase 1/2 SA negotiation sequence with a
    Skip> peer which didn't receive the SA delete messages.

  This is partly the problem that the birth certificate solves.

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows faster<tm>
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com

Follow-Ups: References: