[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats Straw Poll
>>>>> "Steven" == Steven M Bellovin <email@example.com> writes:
Steven> In message <200008091317.QAA19824@torni.hel.fi.ssh.com>, Tero
Steven> Kivinen writes:
>> Also a comment for those who complain about keepalives being
>> make-deads, that is NOT TRUE for the ipsec traffic. Your TCP/IP
>> session is not dead even if the IPsec SA is removed. The SA will be
>> recreated immediately when you send your next packet to that
Steven> But the proponents of this scheme keep saying that they need to
Steven> free up the (inner) IP addresses, which will indeed cause the TCP
Steven> sessions to die the true death. If it's not IP addresses we're
Steven> concerned with, what resource are we trying to conserve?
Those who need to free up the inner IP address can do so. That does not
change the heartbeat protocol itself. The question is:
"how do I detect that the SA is no longer valid?"
not: "what should I do when the SA dies?"
Steven> Your other points -- about the possible operational necessity for
Steven> this scheme -- are far more important, and deserve a lot more
Steven> scrutiny and thought. While I'm far from convinced that
Steven> heartbeats (especially IKE-level heartbeats) are the right way to
Steven> deal with the issue, black hole routes have historically been a
Steven> problem on the net, and we need to ensure that we are not
Steven> creating more of them.
Left for emphasis.
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson |For a better connected world,where data flows faster<tm>