[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

"Steven M. Bellovin" wrote:
> In message <p05000a47b5b615ec64f7@[]>, Paul Hoffman / VPNC writes
> :
> >
> >So far, the two gateway resources that have been best identified are
> >state memory and IP addresses. Despite memory being cheap, we might
> >want to conserve it if the process for conserving it is not too
> >onerous. As for IP addresses, we don't need to be any more aggressive
> >about them than the current protocol that uses them, namely DHCP.
> Precisely.  In ipsra, it was pointed out that we need some sort of
> identifier to pass to DHCP in lieu of a MAC address.  If we use, say,
> the cert-id, someone who dials in anew and negotiates a new SA will get
> the same DHCP address, which is exactly what you want to preserve
> ongoing application connections.  Furthermore, by DHCP semantics you
> can't reuse an address until its lease is up, which again means that
> you don't need a heartbeat to tell you that you've lost touch.

Maybe I'm misunderstanding you. If you require dhcp to associate a
specific cert-id with a specific address, you lose scaling capability,
meaning you may as well statically assign the address. What seems more
reasonable is to associate a pattern (which the cert-id or whatever you
use matches) with an address *pool*, but in this case you have no
guarantee that the same address is reassigned in subsequent attempts,
and in fact, this is somewhat unlikely. This in turn implies that there
may be a window during which addresses become unavailable, but the
window size may be reduced by shortening the dhcp lease duration.


> As for memory -- pulling out a random catalog that's sitting on my desk
> right now, it seems that desktop memory costs ~$2/meg.  How many SAs
> can I fit in 1 meg?  Easily worth the $2, especially when I think of
> what the programmer time would be to implement something complex.
>                 --Steve Bellovin

Follow-Ups: References: