Subject: Re: IP-in-TCP?
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Daniel Carosone <email@example.com>
Date: 02/02/2005 22:28:46
Content-Type: text/plain; charset=us-ascii
On Wed, Feb 02, 2005 at 05:56:49AM -0500, der Mouse wrote:
> I once had to deal with a NAT box with a very low timeout, on the order
> of three minutes.=20
Odd you should say that:
net.inet.tcp.keepidle =3D 300
net.inet.tcp.keepintvl =3D 150
This was motivated by being behind a reverse load-balancer[*] at one
customer site, with a similar short timeout.
> I ended up hacking an option into the kernel so I could have it
> *always* do keepalives whether userland requested them or not
That would be useful. Every so often I come across apps that don't
have a convenient config file option..
[*] RADware linkproof, designed to provide failover and load balancing
for a site over multiple ISP links, without needing BGP or you own
addresses. Best use of NAT ever. One of those frightfully clever and
simple ideas that just makes you smack your forehead for not thinking
of it yourself.
It monitors the connectivity of N external links, each with their
ISP-assigned address space. Outbound connections get directed out the
relevant alive link according to various policy options, and
source-NATed accordingly. It acts as a DNS server for inbound
connections (to webservers etc), and responds with an A record for the
appropriate link (and a tiny TTL). It can be smart and monitor
response times from various external addresses to try and place them
on the best link, if you let it. It does a bunch of other stuff
probably noone uses much.
Unfortunately, they charge a bomb for these devices, and they have
this abominably-short NAT timeout - in part because the whole model
doesn't do failover for long-running connections, so they tend to get
used for sites with lots of short ones: web, smtp, dns, ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (NetBSD)
-----END PGP SIGNATURE-----