[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Subject: Re: NAT Traversal
From: Tero Kivinen <kivinen@ssh.fi>
Date: Wed, 6 Mar 2002 18:58:46 +0200
Cc: Srinivasa Addepalli <srao@intotoinc.com>, ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.GSO.4.33.0203052107170.5165-100000@cypher.cisco.com>
Organization: SSH Communications Security Oy
References: <Pine.GSO.4.33.0203052030560.28991-100000@cypher.cisco.com><Pine.GSO.4.33.0203052107170.5165-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Chinna N.R. Pellacuru writes:
> And you seem to suggest that this bandwidth that is being used for IKE NAT
> keeplives should not be charged by an ISP.

Why not. I didn't say anything about that. Firstly the bandwidth used
by them is neglitable. Secondly the user sending those packet can
configure them with suitable timeout that the nat box still support.
Thirdly the user sending them can also put the TTL of those packet so
low that they will only reach the NAT box not the box behind that.

> Why should an ISP bear such an abuse of their bandwidth, that they cannot
> charge for? Particulary if you consider an ISP trying to provide DSL or

ISP has can also filter those packets out if they consider
them as an abuse of their network, hopefully they will filter them
after the NAT :-)

> Cable access, where most people are having a little IPsec router (or some
> other IPsec box) at home connecting to their corporation. The ISP can
> instead choose to upgrade their NAT boxes, and suggest to all plausible
> customers to use the SPI matching technique so that bandwidth wastage for
> both the UDP encapsulation and keepalives can be saved.

I have to say that for all ISP here in Finland the price for the
keepalives is such a neglitable even when sent in 20 second interval
as suggested by the draft (I still don't understand why do you keep on
using the 9 seconds and assume that nobody can configure it. The draft
clearly says that this timeout is "locally configurable parameter with
a default value of 20 seconds").

If we assume the ISP is actually account per byte (and I assume here
they account only actual data bytes not the ethernet frame bytes).
This means that each keepalive is 20 bytes of IP header, 8 bytes of
UDP header and 1 byte of payload i.e 29 bytes. If the connection is
totally idle (and for some reason we want to keep the SA up and the
connection up even when we are not sending any traffic) there will be
4320 keepalive packets sent per day. That means 122 kB per day.

The most expensive pay per byte here is something like 2.3736 euros
per MB (www.sonera.net when using GRPS on mobile phone to connect to
the internet), meaning that those keepalives will cost 0.28 euros per
day, and note here that user here wanted to keep completely unused SA
up and running for the whole day without configuring the keepalives
longer.

If the user really cares about costs of the keepalives, he sould
propably close the connection when he is not using it, or select
operator that uses fixed price (16.6 euros / month).
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread