Re: Heartbeats Straw Poll

["Shawn Mamros" <smamros@nortelnetworks.com>]

>IMHO, a heartbeat protocol should run over a dedicated transport mode
>Phase 2 SA whose selector is specific to the heartbeat mechanism. I
>would allocate a new UDP port number specifically for the heartbeat
>mechanism just so it can distinguished from all other user data. An
>IPSEC peer that wants keepalives just has to create this SA using a
>standard quick mode exchange. A peer that _doesn't_ want to accept
>the heart-beat protocol can deny the quick mode request via its SPD.

Why reinvent the wheel?  We have a protocol that already does this:
ICMP.

IPsec transport mode SA, negotiated specifically for ICMP, between
the two endpoint addresses.  No changes to IKE necessary, just a
matter of policy on both sides.  Don't want heartbeats?  Don't set
up the SA.

Either side can initiate a ping anytime they want.  No need to
negotiate intervals, or retry counts, or any of that.  Each side
decides their own policy in this regard.  If the other side doesn't
answer, delete the SA and any other SAs considered to be related.

Since it's a separate SA, those who don't want to add the ping
packets to their accounting records can choose not to do so.

Rekey interval for the ICMP SA can be set as appropriate, if one
wants to check on the health of the IKE SA on the other side.

Simple.  Clean.  Effective.  Not covered by any patents I know of.
Works.  Right?

-Shawn Mamros
E-mail to: smamros@nortelnetworks.com

---

Follow-Ups:

• Re: Heartbeats Straw Poll
• From: Ben McCann <bmccann@indusriver.com>
• Re: Heartbeats Straw Poll
• From: Michael Richardson <mcr@solidum.com>
• Re: Heartbeats Straw Poll
• From: "Scott Fanning" <sfanning@cisco.com>
• Re: Heartbeats Straw Poll
• From: Ricky Charlet <rcharlet@redcreek.com>

---

• Prev by Date: Re: IV sizes for AES candidates
• Next by Date: Re: Heartbeats Straw Poll
• Prev by thread: RE: Heartbeats Straw Poll
• Next by thread: Re: Heartbeats Straw Poll
• Index(es):
  • Main
  • Thread