[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll
From: Michael Richardson <mcr@solidum.com>
Date: Tue, 08 Aug 2000 13:06:44 -0400
In-Reply-To: Your message of "Tue, 08 Aug 2000 17:47:34 BST." <1FD60AE4DB6CD2118C420008C74C27B854A79B@hhdata3.cdsemea.baltimore.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Chris" == Chris Trobridge <CTrobridge@baltimore.com> writes:
    >>  The source address of the ICMP ping that the gateway sends can be
    >> whatever is necessary to fit into the existing SA.  If the existing SA
    >> is a protocol specific, or port-specific SA that does not permit ICMP,

    Chris> The problem is that you have to maintain a separation between
    Chris> client traffic and gateway traffic.  If you pick arbitrary

  For a single ping every 2-10 minutes, I hardly think that any accounting
rules matter in this regard.

    Chris> addresses from the SAs then you could pick up genuine client
    Chris> addresses.  If one or other of these clients attempts to ping the

  You mean a genuine address that belongs to the server that the client
is talking to. So what? the server sees a gratuitous ICMP Echo Response
now and then.

    Chris> other then this traffic will be effectively filtered out by the
    Chris> gateways.  This problem may be largely theoretical but it's still
    Chris> not good practice.

  Making a new SA which may be routed in an entirely different fashion, 
due to QoS isn't much of a better solution.

    Chris> In many cases the 'red' ports of the gateways will be covered by
    Chris> the SA and hence these addresses can be safely used but this isn't
    Chris> universal and you still need a way to determine the safe remote
    Chris> address.

  No need. The SA tells you.
  You just don't care if you see the ICMP Echo Response. You see *traffic*
that is that is enough to know that things are alive. If you see no traffic
for awhile, then you must force some to see if the SA is alive.  The only
thing that this screws up is some NAS/client PPP idle timer, but all
heartbeat/make-dead protocols screw that up.

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows faster<tm>
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com

Follow-Ups:

Re: Heartbeats Straw Poll

From: Jan Vilhuber <vilhuber@cisco.com>

References:

RE: Heartbeats Straw Poll

From: Chris Trobridge <CTrobridge@baltimore.com>

Prev by Date: RE: Heartbeats Straw Poll
Next by Date: Re: Heartbeats Straw Poll
Prev by thread: RE: Heartbeats Straw Poll
Next by thread: Re: Heartbeats Straw Poll
Index(es):
- Main
- Thread