[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Heartbeats (was RE: keepalives)

>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:

 Tero> Jan Vilhuber writes:
 >> What about this: when sending a phase1-heartbeat (where we still
 >> need to agree what this would look like) from host A to host B,
 >> why not include in it all SPI's that host A shares with host B. If
 >> host B has a few SPI's that host A didn't include in the
 >> heartbeat, then they are obviously deleted, and host B should
 >> delete it's SPIS for those.

 Tero> That could be one way to do it, but it only allows machine to
 Tero> have 16376 SAs up at one time (64 kB packet limit at the UDP
 Tero> level). I have been doing testing with bigger number of SAs
 Tero> between hosts already now, and I wonder what amount of SAs we
 Tero> have in 5-10 years....

 Tero> Is that amount enough? 

16k SAs between a single pair of security gateways?  The usual number
is one.  Indeed, there have been some good arguments why it's unlikely
that much more than that is useful.  (The classic argument for more is
"so some data can be protected better than other".  But with decent
crypto performance, a simpler solution is to protect everything to the
maximum extent possible.)

Can you give a scenario where thousands of SAs between a single pair
of security gateways is necessary?