[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
"Mason, David" <David_Mason@nai.com> writes:
> > NAT-keepalives are necessary to ensure that a site
> > on the "outside" of the NAT can initiate an SA back
> > to the system stuck behind the NAT.
>
> Only UDP NAT mappings require keepalives.
> TCP NAT mappings don't.
Yes, they do. TCP NAT mappings (which means you're using a TCP
protocol through the NAT -- which doesn't apply to an ESP-protected
TCP session in any case) DO expire. Go telnet in the clear to some
host through a NAT and let it sit for a while. I bet you a dollar to
a dime that in most cases the NAT box will unmap you and you'll lose
your connection.
I also think you are confused about how NAT works, and how IPsec
protects transport-layer information for protected communications, and
how _that_ interacts with NAT, too. However I have no insentive or
time to actually correct your brain at the moment.
> -dave
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups:
References: