[Openswan dev] [PATCH] Forget about NAT-T in DPD activity check

Herbert Xu herbert at gondor.apana.org.au
Thu Oct 6 13:16:13 CEST 2005


On Thu, Oct 06, 2005 at 03:08:40AM +0200, Paul Wouters wrote:
> 
> I talked briefly with Michael about this. If I understood him correctly,
> this is not the right thing to do. There is a difference in directions
> with respect for DPD (which can happen in both directions or not) and
> NAT-T. Also, apparently sometimes, NAT-T keepalives are eaten up instead
> of passed along, in which one might still want to use DPD to determine
> if the tunnels are up or not.

I don't understand your point about directions.  NAT-T keep-alive's
only need to be transmitted in one direction to keep the connection
alive.

As to the second point, it also doesn't affect whether the validity
of the idleness check (at least for the native stack).

What I'm saying is that whether NAT-T is turned on or not does not
affect the validity of the idleness test.  Therefore it makes no
sense to skip the idleness check and always send DPD probes when
NAT-T is turned on.

Now if the point is to use DPD probes to keep the NAT-T alive because
you don't trust the NAT-T keep-alive's, then I think that should be
made user configurable as otherwise this becomes unmanageable when
you have thousands of tunnels using NAT-T.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Dev mailing list