[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
----- Original Message -----
From: "Derek Atkins" <warlord@mit.edu>
To: "Mason, David" <David_Mason@nai.com>
Cc: "'sommerfeld@east.sun.com'" <sommerfeld@East.Sun.COM>; "'Brian Swander'"
<briansw@windows.microsoft.com>; <ipsec@lists.tislabs.com>
Sent: Thursday, July 12, 2001 11:12 AM
Subject: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
>
> "Mason, David" <David_Mason@nai.com> writes:
>
> > > NAT-keepalives are necessary to ensure that a site
> > > on the "outside" of the NAT can initiate an SA back
> > > to the system stuck behind the NAT.
> >
> > Only UDP NAT mappings require keepalives.
> > TCP NAT mappings don't.
>
> Yes, they do. TCP NAT mappings (which means you're using a TCP
> protocol through the NAT -- which doesn't apply to an ESP-protected
> TCP session in any case) DO expire. Go telnet in the clear to some
> host through a NAT and let it sit for a while. I bet you a dollar to
> a dime that in most cases the NAT box will unmap you and you'll lose
> your connection.
>
Don't bet so quickly, you may lose your shirt!
Most NATs have a TCP Ageout/timeout that is
generally set to 2.5 hrs (I think it is set to 24hrs
in CISCO IOS NAT). Again, it can vary and
depends on the vendor.
Most TCP implementations have a built-in keep
alive. Default is supposed to be 2 hrs, but it is
not uncommon to see messages sent every
10-15min.
Now, if the built-in TCP keep-alive is sent more
frequently than the NAT Ageout/timeout, you will
never lose a TCP connection.
So depending on your TCP implementation and
the NAT box setting, you may or may not need
to send keep-alive messages. From the defaults
it seems that in _most_ cases you will _not_ lose
the TCP connections because of NATs.
regards,
Jayant
p.s.: the reason TCP keep-alive are sent is
for detecting if the connection is alive and
_not_ for keeping NAT mappings alive.
Follow-Ups:
References: