Subject: Re: IP-in-TCP?
To: Steven M. Bellovin <>
From: Daniel Carosone <>
List: tech-net
Date: 02/03/2005 07:41:31
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Feb 02, 2005 at 03:32:10PM -0500, Steven M. Bellovin wrote:
> In message <>, Seth Kurtzberg writes:
> >However, I've found in many cases that TCP keepalive is simply broken=20
> >(not  in NetBSD, but broken anywhere along the path is broken for the=20
> >entire path).
> Hmm -- details?  I'm surprised that anything else notices.

I've never seen it, but I've seen all sorts of other interesting bugs
in overly-'clever' stateful firewalls.  Still, that doesn't seem like
a bug or product that would last long.

> >>(This is the reason why, for example, OpenSSH contains a protocol-level
> >>keepalive mechanism, which sends packets much more frequently).
> Not a bad idea, though from what I can see it's solely a server option;
> there's no way a client -- say, one behind a @#$%^ NAT box -- can=20
> generate such messages (at least not that I see from a quick glance at=20
> the code).

That depends on the client - PuTTY has client options for it.  It's
most useful when the TCP connection and the SSH connection don't have
the same span - for example when using a http CONNECT proxy from the
client. Keepalives to the proxy often aren't what you need, you need
activity between the proxy and an external firewall, or you need
actual data to flow on the connection for the proxy to consider the
connection non-idle.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.0 (NetBSD)