[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heartbeats Straw Poll

To: ipsec@lists.tislabs.com
Subject: Re: Heartbeats Straw Poll
From: Ricky Charlet <rcharlet@redcreek.com>
Date: Tue, 15 Aug 2000 09:47:05 -0600
Organization: Redcreek Communications
References: <3.0.32.20000810114450.00bfe680@zbl6c000.corpeast.baynetworks.com>
Sender: owner-ipsec@lists.tislabs.com

Shawn Mamros wrote:
> 
> >IMHO, a heartbeat protocol should run over a dedicated transport mode
> >Phase 2 SA whose selector is specific to the heartbeat mechanism. I
> >would allocate a new UDP port number specifically for the heartbeat
> >mechanism just so it can distinguished from all other user data. An
> >IPSEC peer that wants keepalives just has to create this SA using a
> >standard quick mode exchange. A peer that _doesn't_ want to accept
> >the heart-beat protocol can deny the quick mode request via its SPD.
> 
> Why reinvent the wheel?  We have a protocol that already does this:
> ICMP.
> 
> IPsec transport mode SA, negotiated specifically for ICMP, between
> the two endpoint addresses.  No changes to IKE necessary, just a
> matter of policy on both sides.  Don't want heartbeats?  Don't set
> up the SA.
> 
> Either side can initiate a ping anytime they want.  No need to
> negotiate intervals, or retry counts, or any of that.  Each side
> decides their own policy in this regard.  If the other side doesn't
> answer, delete the SA and any other SAs considered to be related.
> 
> Since it's a separate SA, those who don't want to add the ping
> packets to their accounting records can choose not to do so.
> 
> Rekey interval for the ICMP SA can be set as appropriate, if one
> wants to check on the health of the IKE SA on the other side.
> 
> Simple.  Clean.  Effective.  Not covered by any patents I know of.
> Works.  Right?
> 
> -Shawn Mamros
> E-mail to: smamros@nortelnetworks.com


Howdy,
	This was my favorite idea (out-of-band-pahse2) for a while too. But the
downside is this: A gateway doing keepalives with large numbers of
clients will basically be handeling twice the number of SAs it would
have otherwise.

	By doing keepalives in phase 1, you are utalizing an existing secure
channel. The worst part about using phase 1 seems to be that it flys in
the face of the goal of simplifying IKE. However, keep in mind that keep
alive parameters in phase 1 could be configured, they do not HAVE to be
negotiated. By defining a new notify message and a few number of config
parameters (on/off, frequency) phase 1 keepalives could be done very
simply. The concept of carrying a notify message is not new.

	The other possible mechanism is doing keepalives in phase 2 inband
(inside of the established SA). This requires creating specialize
packets which will fit within the confines of the policy of the SA,and
the ability to recognize these special packets at the recieving end.
This approach does seem overly complex to me.

-- 
  Ricky Charlet   : Redcreek Communications   : usa (510) 795-6903

References:

Re: Heartbeats Straw Poll

From: "Shawn Mamros" <smamros@nortelnetworks.com>

Prev by Date: RE: Heartbeats Straw Poll (part 3)
Next by Date: IKE proposal formation
Prev by thread: Re: Heartbeats Straw Poll
Next by thread: Re: Heartbeats Straw Poll
Index(es):
- Main
- Thread