[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
I have a really dumb question. Assuming this isn't a personal
NAT (ie, it's say a corporate NAT/firewall) and part of the
reason it's there is to conserve public IP addresses, doesn't
having keepalives sort of defeat all that?
Mike
Bill Sommerfeld writes:
> NAT keepalives are (regrettably) necessary.
>
> IPsec is a peer-to-peer protocol; IPsec SA's are ephemeral state.
>
> an idle TCP connection sends no packets; if it sits idle for a while,
> any SA's created to carry its traffic will expire.
>
> At this point, the application on either end of the TCP connection
> could decide it has something to send; at that point, *that* end of
> the IPsec-protected part of the path needs to reestablish the IPsec
> state.
>
> NAT-keepalives are necessary to ensure that a site on the "outside" of
> the NAT can initiate an SA back to the system stuck behind the NAT.
>
> - Bill
References: