[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

>>>>> "Steven" == Steven M Bellovin <smb@research.att.com> writes:
    Steven> In message <200008091317.QAA19824@torni.hel.fi.ssh.com>, Tero
    Steven> Kivinen writes:

    >>  Also a comment for those who complain about keepalives being
    >> make-deads, that is NOT TRUE for the ipsec traffic. Your TCP/IP
    >> session is not dead even if the IPsec SA is removed. The SA will be
    >> recreated immediately when you send your next packet to that
    >> connection.

    Steven> But the proponents of this scheme keep saying that they need to
    Steven> free up the (inner) IP addresses, which will indeed cause the TCP
    Steven> sessions to die the true death.  If it's not IP addresses we're
    Steven> concerned with, what resource are we trying to conserve?

  Those who need to free up the inner IP address can do so. That does not
change the heartbeat protocol itself. The question is:
	"how do I detect that the SA is no longer valid?"

not:	"what should I do when the SA dies?"

    Steven> Your other points -- about the possible operational necessity for
    Steven> this scheme -- are far more important, and deserve a lot more
    Steven> scrutiny and thought.  While I'm far from convinced that
    Steven> heartbeats (especially IKE-level heartbeats) are the right way to
    Steven> deal with the issue, black hole routes have historically been a
    Steven> problem on the net, and we need to ensure that we are not
    Steven> creating more of them.

  Left for emphasis.

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |For a better connected world,where data flows faster<tm>
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
	mailto:mcr@sandelman.ottawa.on.ca	mailto:mcr@solidum.com