[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll



In message <200008091317.QAA19824@torni.hel.fi.ssh.com>, Tero Kivinen writes:

>
>Also a comment for those who complain about keepalives being
>make-deads, that is NOT TRUE for the ipsec traffic. Your TCP/IP
>session is not dead even if the IPsec SA is removed. The SA will be
>recreated immediately when you send your next packet to that
>connection. 

But the proponents of this scheme keep saying that they need to free up 
the (inner) IP addresses, which will indeed cause the TCP sessions to 
die the true death.  If it's not IP addresses we're concerned with, 
what resource are we trying to conserve?

Your other points -- about the possible operational necessity for this 
scheme -- are far more important, and deserve a lot more scrutiny and 
thought.  While I'm far from convinced that heartbeats (especially 
IKE-level heartbeats) are the right way to deal with the issue, black 
hole routes have historically been a problem on the net, and we need to 
ensure that we are not creating more of them.

		--Steve Bellovin




Follow-Ups: