Re: NAT Traversal

["Chinna N.R. Pellacuru" <pcn@cisco.com>]

On Tue, 5 Mar 2002, Chinna N.R. Pellacuru wrote:

> On Wed, 6 Mar 2002, Tero Kivinen wrote:
>
> > pcn@cisco.com ("Chinna N.R. Pellacuru") writes:
> > > - UDP encapsulation schemes require the use of keepalives to keep the
> > > translation alive. That would not be easy to do, particularly if you are
> > > assuming that no one knows what kind of NAT boxes are out there.
> >
> > And, again I will once more repeat, only you are sending keeplives
> > only if there is no other traffic going out, and only from the host
> > that is behind NAT box (i.e the "server" end with fixed ip-address
> > will not ever send them), and also the interval can be configured.
>
> Consider a small router that is providing IPsec protection to a SOHO
> network. If they are doing "continuous channel implementation", with no
> "dangling SAs", then the box has the SAs up all the time, and even when
> there is no data traffic, the router will be forced to keepalive the NAT
> translations by sending IKE NAT keepalives. If the recommended NAT
> keepalive timer is 20 seconds (I have seen practical deployment
> recommendations as low as 9 seconds), that is a lot of bandwidth being
> consumed by probably a lot of otherwise idle boxes that are trying to
> keepalive NAT translations.
>

And you seem to suggest that this bandwidth that is being used for IKE NAT
keeplives should not be charged by an ISP.

Why should an ISP bear such an abuse of their bandwidth, that they cannot
charge for? Particulary if you consider an ISP trying to provide DSL or
Cable access, where most people are having a little IPsec router (or some
other IPsec box) at home connecting to their corporation. The ISP can
instead choose to upgrade their NAT boxes, and suggest to all plausible
customers to use the SPI matching technique so that bandwidth wastage for
both the UDP encapsulation and keepalives can be saved.

    chinna