[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heartbeats Straw Poll

I haven't been following these notes, but here is a view anyway:

LAN-LAN VPN - for these, it is very important to know if the link is up or
not. To solve this one at the 'virtual data-link' level, we used a ping as a
keepalive. The tunnel is an IPIP tunnel which uses a 'socket' interface to
IPSEC to request transport mode protection. One the exchange of polls, the
interface is marked 'up'. If n polls are missing, it is marked down (with
routing and fail-over links taking the appropriate action).

Client - the same ping method could be used for used tunnels. The objections
to this is the past have been that this would mandate the client being
allowed (through IPSEC policy) to ping the security gateways.  I don't see
why this is such a big deal. Using this, the security gateway can run an
idle time on the IPSEC SAs - to allow DHCP addresses and 'crypto-session'
resources to be recycled. If the client wants to check if the security
gateway is still 'connected', just use the ping - no need for the security
gateway generate them, just reply. Having said that, we have implemented the
IKE-based keepalive as supported by a well know IPSEC client.


-----Original Message-----
From: Steven M. Bellovin [mailto:smb@research.att.com]
Sent: Wednesday, August 09, 2000 4:19 PM
To: Tero Kivinen
Cc: ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll 

In message <200008091317.QAA19824@torni.hel.fi.ssh.com>, Tero Kivinen

>Also a comment for those who complain about keepalives being
>make-deads, that is NOT TRUE for the ipsec traffic. Your TCP/IP
>session is not dead even if the IPsec SA is removed. The SA will be
>recreated immediately when you send your next packet to that

But the proponents of this scheme keep saying that they need to free up 
the (inner) IP addresses, which will indeed cause the TCP sessions to 
die the true death.  If it's not IP addresses we're concerned with, 
what resource are we trying to conserve?

Your other points -- about the possible operational necessity for this 
scheme -- are far more important, and deserve a lot more scrutiny and 
thought.  While I'm far from convinced that heartbeats (especially 
IKE-level heartbeats) are the right way to deal with the issue, black 
hole routes have historically been a problem on the net, and we need to 
ensure that we are not creating more of them.

		--Steve Bellovin