[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heartbeats Straw Poll



>     Chris> The problem is that you have to maintain a separation between
>     Chris> client traffic and gateway traffic.  If you pick arbitrary
> 
>   For a single ping every 2-10 minutes, I hardly think that 
> any accounting rules matter in this regard.
>
>     Chris> addresses from the SAs then you could pick up 
> genuine client
>     Chris> addresses.  If one or other of these clients 
> attempts to ping the
> 
> You mean a genuine address that belongs to the server that 
> the client is talking to. So what? the server sees a gratuitous ICMP 
> Echo Response now and then.

I mean VPN clients - not as in client-server.  In this case you can't assume
that any particular address maps to anything (the subnet/range probably
isn't fully populated).

> 
>     Chris> other then this traffic will be effectively 
> filtered out by the
>     Chris> gateways.  This problem may be largely theoretical 
> but it's still
>     Chris> not good practice.
>   
>   Making a new SA which may be routed in an entirely 
> different fashion, due to QoS isn't much of a better solution.

I'm not sure what you mean here - all I've said is that if you mark certain
SA addresses/protocol for heart beats then these are effectively removed
from use by the (VPN) clients.

>     Chris> In many cases the 'red' ports of the gateways will 
> be covered by
>     Chris> the SA and hence these addresses can be safely 
> used but this isn't
>     Chris> universal and you still need a way to determine 
> the safe remote
>     Chris> address.
> 
>   No need. The SA tells you.

The SA does not tell you whether it includes an address that is owned by
either gateway, nor whether any address is actually populated.

>   You just don't care if you see the ICMP Echo Response. You 
> see *traffic*
> that is that is enough to know that things are alive. If you 
> see no traffic
> for awhile, then you must force some to see if the SA is 
> alive.  The only
> thing that this screws up is some NAS/client PPP idle timer, but all
> heartbeat/make-dead protocols screw that up.

This I agree with - you just need to see some valid traffic on an SA to know
that the other end is still alive.  I don't think this needs an echo though.
As long as each side ensures it transmits sufficient traffic to confirm that
it's still up there's no need for boths sides to send and receive pings.

Chris