Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

[Michael Thomas <mat@cisco.com>]

I have a really dumb question. Assuming this isn't a personal
NAT (ie, it's say a corporate NAT/firewall) and part of the
reason it's there is to conserve public IP addresses, doesn't
having keepalives sort of defeat all that?

		  Mike

Bill Sommerfeld writes:
 > NAT keepalives are (regrettably) necessary.
 > 
 > IPsec is a peer-to-peer protocol; IPsec SA's are ephemeral state.
 > 
 > an idle TCP connection sends no packets; if it sits idle for a while,
 > any SA's created to carry its traffic will expire.
 > 
 > At this point, the application on either end of the TCP connection
 > could decide it has something to send; at that point, *that* end of
 > the IPsec-protected part of the path needs to reestablish the IPsec
 > state.
 > 
 > NAT-keepalives are necessary to ensure that a site on the "outside" of
 > the NAT can initiate an SA back to the system stuck behind the NAT.
 > 
 > 					- Bill

---

References:

• RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• From: "Mason, David" <David_Mason@nai.com>
• Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

---

• Prev by Date: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Next by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Next by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Index(es):
  • Main
  • Thread