[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

To: "Mason, David" <David_Mason@nai.com>
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
From: Derek Atkins <warlord@mit.edu>
Date: 12 Jul 2001 14:08:32 -0400
Cc: "'Brian Swander'" <briansw@windows.microsoft.com>, ipsec@lists.tislabs.com
In-Reply-To: "Mason, David"'s message of "Thu, 12 Jul 2001 10:11:40 -0700"
References: <8894CA1F87A5D411BD24009027EE78381281D6@ROC-76-204.nai.com>
Sender: owner-ipsec@lists.tislabs.com

"Mason, David" <David_Mason@nai.com> writes:

> TCP NAT mappings don't require a keepalive.  They're generally
> based upon the state of the connection (which can also create
> problems) and not a flat timeout as is used for UDP.  I'm not
> saying that I know what the solution is, I'm just saying that we
> need to take a serious look at possible alternatives.  Do not
> send the TCP message in the clear (use the cookies for lookup -
> and yes there are problems here in determining message boundaries).

That's not true.  Most NAT boxes will expire a TCP mapping if they are
idle for some period of time (generally on the order of 10 minutes,
but it certainly varries from box to box).  So, you _still_ need a
keepalive on a TCP session, too.

> I was under the impression that the N minutes linger was
> so that the clients don't need to keep track of active
> connections.  I'm also concerned with keepalives for
> long periods even when there are idle active connections.
> A change in NAT mappings doesn't necessarily mean the
> invalidation of the IKE SA.

If your connection is idle for that long a period of time, send
an IKE DELETE notification and tear down the session.

The reason you need the keepalive there is that if the IKE SAs are
still in place, there is no way to know _which side_ will want to send
the 'next' packet.  If it's the 'server' (e.g. the non-natted host'
then there is no way for that server to contact the client (the natted
host) because all state information has been lost.  And there is no
way to notify the client that there is any data to transmit, either,
for the same reason.

The ONLY way to keep communication alive is to keep the mapping alive
for as long as the SA is valid.  This MUST be done, otherwise there is
no way for packets to get back in through the NAT.

If you want to tear it down, then do so.

If the connection has no data on it, fine, it will just send
keepalives to keep NAT happy.  If you want the connection to die
when it's idle, then tear it down.

That's the joy of living with NAT.  If you don't like it, get rid of
you d**m NAT box!

> -dave

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

References:

RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

From: "Mason, David" <David_Mason@nai.com>

Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by Date: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Index(es):
- Main
- Thread