[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats Straw Poll
>>>>> "Shawn" == Shawn Mamros <firstname.lastname@example.org> writes:
Shawn> Why reinvent the wheel? We have a protocol that already does
Shawn> this: ICMP.
Shawn> IPsec transport mode SA, negotiated specifically for ICMP, between
Shawn> the two endpoint addresses. No changes to IKE necessary, just a
Shawn> matter of policy on both sides. Don't want heartbeats? Don't set
Shawn> up the SA.
Shawn> Either side can initiate a ping anytime they want. No need to
Shawn> negotiate intervals, or retry counts, or any of that. Each side
Shawn> decides their own policy in this regard. If the other side
Shawn> doesn't answer, delete the SA and any other SAs considered to be
a) this may not be entirely clear
Shawn> Since it's a separate SA, those who don't want to add the ping
b) since it is a seperate SA, it really tells you nothing about the
SAs that you want to use
c) hardware devices have typically a limited number of slots for
SAs, so one would prefer not to double the number of them and
d) I think that ICMP should always fit into all SAs anyway.
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson |For a better connected world,where data flows faster<tm>