Re: NAT and IPsec

[Markus Stenberg <markus.stenberg@ssh.com>]

"Jari Arkko" <jari.arkko@kolumbus.fi> writes:
> Joern writes:
> > >* Would it be simpler to just use a client-initiated
> > >  ping as needed rather than a special-case heartbeat
> > >  packets as in two of the drafts?
> > 
> > There are two UDP ports here... IKE and ESPoverUDP.
> > With the ping you only keep ESPoverUDP alive.
> Ah. Yes. Does somebody have an idea how long a large NAT's UDP
> session storage lasts, typically?

300 seconds might be reasonable typical value (they range from 30 sec to
3600 sec). However, to make it general-purpose you have to work by
worst-case assumption.

> Note that if you were to encapsulate both IKE and ESP to the
> same UDP port number (2797) then there'd be a need to keep
> just that alive, either with the ping or with the empty IKE message
> you suggested.

And you'd wind up with my proposal, except it doesn't encapsulate IKE
(i.e. you would need to have overhead in normal IP packets beyond normal
UDP header, _and_ you would have overhead in IKE packets). I can't see why
you would want to do that, though, as IKE works as-is.

Another thing is getting firewalls et al to recognize UDP port 2797 as
'nice traffic' port. (Does the fact that non-root-user can bind the port
have bad future implications? I could see someone 'stealing' the port on
UNIX box..)

> Jari

-Markus
-- 
vi is [[13~^[[15~^[[15~^[[19~^[[18~^ a muk[^[[29~^[[34~^[[26~^[[32~^ch
better editor than this emacs.  I know I^[[14~'ll get flamed for this
but the truth has to be said. ^[[D^[[D^[[D^[[D^~     [[D^[^[[D^[[D^[[B^
        -- Jesper Lauridsen

---

References:

• Re: NAT and IPsec
• From: Joern Sierwald <joern.sierwald@F-Secure.com>
• Re: NAT and IPsec
• From: "Jari Arkko" <jari.arkko@kolumbus.fi>

---

• Prev by Date: Re: NAT and IPsec
• Next by Date: IKE "clustering" - IP address sensitive or not?
• Prev by thread: Re: NAT and IPsec
• Next by thread: Re: NAT and IPsec
• Index(es):
  • Main
  • Thread