[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats Straw Poll
>>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
>> The source address of the ICMP ping that the gateway sends can be
>> whatever is necessary to fit into the existing SA. If the existing SA
>> is a protocol specific, or port-specific SA that does not permit ICMP,
Chris> The problem is that you have to maintain a separation between
Chris> client traffic and gateway traffic. If you pick arbitrary
For a single ping every 2-10 minutes, I hardly think that any accounting
rules matter in this regard.
Chris> addresses from the SAs then you could pick up genuine client
Chris> addresses. If one or other of these clients attempts to ping the
You mean a genuine address that belongs to the server that the client
is talking to. So what? the server sees a gratuitous ICMP Echo Response
now and then.
Chris> other then this traffic will be effectively filtered out by the
Chris> gateways. This problem may be largely theoretical but it's still
Chris> not good practice.
Making a new SA which may be routed in an entirely different fashion,
due to QoS isn't much of a better solution.
Chris> In many cases the 'red' ports of the gateways will be covered by
Chris> the SA and hence these addresses can be safely used but this isn't
Chris> universal and you still need a way to determine the safe remote
No need. The SA tells you.
You just don't care if you see the ICMP Echo Response. You see *traffic*
that is that is enough to know that things are alive. If you see no traffic
for awhile, then you must force some to see if the SA is alive. The only
thing that this screws up is some NAS/client PPP idle timer, but all
heartbeat/make-dead protocols screw that up.
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson |For a better connected world,where data flows faster<tm>