[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
To a very small degree, but since in theory 64 thousand
systems could share the same address (each system gets
a different source port - more accurately each connection)
this is not the reason why I dislike keepalives.
-dave
-----Original Message-----
From: Michael Thomas [mailto:mat@cisco.com]
Sent: Thursday, July 12, 2001 2:33 PM
To: sommerfeld@East.Sun.COM
Cc: Mason, David; 'Brian Swander'; 'ipsec@lists.tislabs.com'
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
I have a really dumb question. Assuming this isn't a personal
NAT (ie, it's say a corporate NAT/firewall) and part of the
reason it's there is to conserve public IP addresses, doesn't
having keepalives sort of defeat all that?
Mike
Bill Sommerfeld writes:
> NAT keepalives are (regrettably) necessary.
>
> IPsec is a peer-to-peer protocol; IPsec SA's are ephemeral state.
>
> an idle TCP connection sends no packets; if it sits idle for a while,
> any SA's created to carry its traffic will expire.
>
> At this point, the application on either end of the TCP connection
> could decide it has something to send; at that point, *that* end of
> the IPsec-protected part of the path needs to reestablish the IPsec
> state.
>
> NAT-keepalives are necessary to ensure that a site on the "outside" of
> the NAT can initiate an SA back to the system stuck behind the NAT.
>
> - Bill