[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heartbeats Straw Poll

> >>>>> "Skip" == Skip Booth <ebooth@cisco.com> writes:
>     Skip> This is a fair proposal and one that has been made 
> before if memory
>     Skip> serves me correctly.  It is simply a keepalive 
> mechanism, albeit
>     Skip> one that doesn't require any change to IKE which is 
> probably a good
>     Skip> thing.  However it does double the number of SAs a box must
>     Skip> terminate in the remote access scenario.
>   The source address of the ICMP ping that the gateway sends 
> can be whatever
> is necessary to fit into the existing SA.
>   If the existing SA is a protocol specific, or port-specific 
> SA that does
> not permit ICMP, then you can't use this. I do not believe 
> that there are any
> currently deployed situations where people are using such 
> policies, and I
> have long argued that certain ICMP should permitted by such a 
> policy in any
> case.

The problem is that you have to maintain a separation between client traffic
and gateway traffic.  If you pick arbitrary addresses from the SAs then you
could pick up genuine client addresses.  If one or other of these clients
attempts to ping the other then this traffic will be effectively filtered
out by the gateways.  This problem may be largely theoretical but it's still
not good practice.

In many cases the 'red' ports of the gateways will be covered by the SA and
hence these addresses can be safely used but this isn't universal and you
still need a way to determine the safe remote address.