[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

To: "Mason, David" <David_Mason@nai.com>
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
From: Bill Sommerfeld <sommerfeld@East.Sun.COM>
Date: Thu, 12 Jul 2001 13:16:16 -0400
cc: "'Brian Swander'" <briansw@windows.microsoft.com>, "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
In-reply-to: Your message of "Thu, 12 Jul 2001 08:33:07 PDT." <8894CA1F87A5D411BD24009027EE78381281D3@ROC-76-204.nai.com>
Reply-to: sommerfeld@East.Sun.COM
Sender: owner-ipsec@lists.tislabs.com

NAT keepalives are (regrettably) necessary.

IPsec is a peer-to-peer protocol; IPsec SA's are ephemeral state.

an idle TCP connection sends no packets; if it sits idle for a while,
any SA's created to carry its traffic will expire.

At this point, the application on either end of the TCP connection
could decide it has something to send; at that point, *that* end of
the IPsec-protected part of the path needs to reestablish the IPsec
state.

NAT-keepalives are necessary to ensure that a site on the "outside" of
the NAT can initiate an SA back to the system stuck behind the NAT.

					- Bill

Follow-Ups:

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

From: Michael Thomas <mat@cisco.com>

References:

RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

From: "Mason, David" <David_Mason@nai.com>

Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Index(es):
- Main
- Thread