[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

>I originally thought ICMP was OK too, but several people have
>argued against it. For example:
>1. ICMP may not be passed or acknowledged due to security policy.

It doesn't have to be "passed" - it's transport mode.  One host
to another.  If you're going through the bother of setting up
the SA, then it should flow from that that you're going to process
the ICMP echo requests - at least within that SA, if not elsewhere.

>2. ICMP may be counted against usage statistics thus adding bytes
>   the user didn't send.

The ICMP traffic is passing through its own transport mode SA.
A different SA from any tunnel mode traffic the user may be choosing
to send.  Thus, there is no confusion between the two.  As long as
you're doing the counting within the context of the SA (and how else
would you count it?), then you just don't count the traffic within
the transport mode SA for ICMP.  The tunnel mode SA traffic - ICMP
or otherwise - still counts.

>3. ICMP "heartbeat" packets can't be dropped by the SPD (if that is
>   your policy) without dropping all other legitimate ICMP packets.

Again, separate SA.  What happens for ICMP inside of any tunnel mode
SA is another matter.  The transport mode SA for ICMP - specifically
for heartbeats, in the form of ICMP echo aka ping - follows its own
SPD rules, tailored for the purpose.

>I suggested a separate UDP protocol port just to make it unambiguous
>so heartbeats can be omitted easily from statistics and so they can
>be controlled via the SPD without affecting other ICMP traffic. If
>these arguments aren't sufficiently strong then I agree with you that
>ICMP is a very viable heartbeat mechanism.

ICMP traffic within its own transport mode SA is just as easy to
distinguish as UDP traffic within its own transport mode SA.

>I agree that anything that uses a separate SA is simple and clean.
>It has overhead that some people find objectionable. But, I think any
>heartbeat protocol will have overhead. I'd rather have another SA
>between two IPSEC peers instead of additional protocol complexity
>withn IKE itself.

Makes sense to me...

-Shawn Mamros
E-mail to: smamros@nortelnetworks.com