[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt



"Mason, David" <David_Mason@nai.com> writes:

> > NAT-keepalives are necessary to ensure that a site
> > on the "outside" of the NAT can initiate an SA back
> > to the system stuck behind the NAT.
> 
> Only UDP NAT mappings require keepalives.
> TCP NAT mappings don't.

Yes, they do.  TCP NAT mappings (which means you're using a TCP
protocol through the NAT -- which doesn't apply to an ESP-protected
TCP session in any case) DO expire.  Go telnet in the clear to some
host through a NAT and let it sit for a while.  I bet you a dollar to
a dime that in most cases the NAT box will unmap you and you'll lose
your connection.

I also think you are confused about how NAT works, and how IPsec
protects transport-layer information for protected communications, and
how _that_ interacts with NAT, too.  However I have no insentive or
time to actually correct your brain at the moment.

> -dave

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


Follow-Ups: References: