RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

["Mason, David" <David_Mason@nai.com>]

To a very small degree, but since in theory 64 thousand
systems could share the same address (each system gets
a different source port - more accurately each connection)
this is not the reason why I dislike keepalives.

-dave

-----Original Message-----
From: Michael Thomas [mailto:mat@cisco.com]
Sent: Thursday, July 12, 2001 2:33 PM
To: sommerfeld@East.Sun.COM
Cc: Mason, David; 'Brian Swander'; 'ipsec@lists.tislabs.com'
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt 



I have a really dumb question. Assuming this isn't a personal
NAT (ie, it's say a corporate NAT/firewall) and part of the
reason it's there is to conserve public IP addresses, doesn't
having keepalives sort of defeat all that?

		  Mike

Bill Sommerfeld writes:
 > NAT keepalives are (regrettably) necessary.
 > 
 > IPsec is a peer-to-peer protocol; IPsec SA's are ephemeral state.
 > 
 > an idle TCP connection sends no packets; if it sits idle for a while,
 > any SA's created to carry its traffic will expire.
 > 
 > At this point, the application on either end of the TCP connection
 > could decide it has something to send; at that point, *that* end of
 > the IPsec-protected part of the path needs to reestablish the IPsec
 > state.
 > 
 > NAT-keepalives are necessary to ensure that a site on the "outside" of
 > the NAT can initiate an SA back to the system stuck behind the NAT.
 > 
 > 					- Bill

---

• Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Next by Date: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Next by thread: ICSA Certification criteria
• Index(es):
  • Main
  • Thread