[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heartbeats Straw Poll
Shawn
Speaking of patents, you spoke of the one Nortel has on Keepalives. Could
you point us to the patent you were referring to?
Thanks
Scott
----- Original Message -----
From: "Shawn Mamros" <smamros@nortelnetworks.com>
To: "Ben McCann" <bmccann@indusriver.com>
Cc: <ipsec@lists.tislabs.com>
Sent: Thursday, August 10, 2000 8:44 AM
Subject: Re: Heartbeats Straw Poll
> >IMHO, a heartbeat protocol should run over a dedicated transport mode
> >Phase 2 SA whose selector is specific to the heartbeat mechanism. I
> >would allocate a new UDP port number specifically for the heartbeat
> >mechanism just so it can distinguished from all other user data. An
> >IPSEC peer that wants keepalives just has to create this SA using a
> >standard quick mode exchange. A peer that _doesn't_ want to accept
> >the heart-beat protocol can deny the quick mode request via its SPD.
>
> Why reinvent the wheel? We have a protocol that already does this:
> ICMP.
>
> IPsec transport mode SA, negotiated specifically for ICMP, between
> the two endpoint addresses. No changes to IKE necessary, just a
> matter of policy on both sides. Don't want heartbeats? Don't set
> up the SA.
>
> Either side can initiate a ping anytime they want. No need to
> negotiate intervals, or retry counts, or any of that. Each side
> decides their own policy in this regard. If the other side doesn't
> answer, delete the SA and any other SAs considered to be related.
>
> Since it's a separate SA, those who don't want to add the ping
> packets to their accounting records can choose not to do so.
>
> Rekey interval for the ICMP SA can be set as appropriate, if one
> wants to check on the health of the IKE SA on the other side.
>
> Simple. Clean. Effective. Not covered by any patents I know of.
> Works. Right?
>
> -Shawn Mamros
> E-mail to: smamros@nortelnetworks.com
>
>
References: