[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

Shawn Mamros wrote:
> >IMHO, a heartbeat protocol should run over a dedicated transport mode
> >Phase 2 SA whose selector is specific to the heartbeat mechanism. I
> >would allocate a new UDP port number specifically for the heartbeat
> >mechanism just so it can distinguished from all other user data. An
> >IPSEC peer that wants keepalives just has to create this SA using a
> >standard quick mode exchange. A peer that _doesn't_ want to accept
> >the heart-beat protocol can deny the quick mode request via its SPD.
> Why reinvent the wheel?  We have a protocol that already does this:

I originally thought ICMP was OK too, but several people have
argued against it. For example:

1. ICMP may not be passed or acknowledged due to security policy.

2. ICMP may be counted against usage statistics thus adding bytes
   the user didn't send.

3. ICMP "heartbeat" packets can't be dropped by the SPD (if that is
   your policy) without dropping all other legitimate ICMP packets.

I suggested a separate UDP protocol port just to make it unambiguous
so heartbeats can be omitted easily from statistics and so they can
be controlled via the SPD without affecting other ICMP traffic. If
these arguments aren't sufficiently strong then I agree with you that
ICMP is a very viable heartbeat mechanism.

> IPsec transport mode SA, negotiated specifically for ICMP, between
> the two endpoint addresses.  No changes to IKE necessary, just a
> matter of policy on both sides.  Don't want heartbeats?  Don't set
> up the SA.
> Either side can initiate a ping anytime they want.  No need to
> negotiate intervals, or retry counts, or any of that.  Each side
> decides their own policy in this regard.  If the other side doesn't
> answer, delete the SA and any other SAs considered to be related.
> Since it's a separate SA, those who don't want to add the ping
> packets to their accounting records can choose not to do so.
> Rekey interval for the ICMP SA can be set as appropriate, if one
> wants to check on the health of the IKE SA on the other side.
> Simple.  Clean.  Effective.  Not covered by any patents I know of.
> Works.  Right?

I agree that anything that uses a separate SA is simple and clean.
It has overhead that some people find objectionable. But, I think any
heartbeat protocol will have overhead. I'd rather have another SA
between two IPSEC peers instead of additional protocol complexity
withn IKE itself.

-Ben McCann

Ben McCann                              Indus River Networks
                                        31 Nagog Park
                                        Acton, MA, 01720
email: bmccann@indusriver.com           web: www.indusriver.com 
phone: (978) 266-8140                   fax: (978) 266-8111