Subject: Re: IP-in-TCP?
To: Seth Kurtzberg <seth@cql.com>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-net
Date: 02/02/2005 15:32:10
In message <4201370D.7020008@cql.com>, Seth Kurtzberg writes:
>Gert Doering wrote:
>>
>>TCP keepalives are usually sent once per hour or so (did some googling:
>>default on most unixes seems to be 2 hours), which is enough to clean
>>up "dead" TCP connections, but usually not enough to keep open over-eager
>>NAT routers.
>>
The two hour figure is from Section 4.2.3.6 of RFC 1122.
>>
>That's just a default. Usually you can override the default with a
>setsockopt call, or an ioctl call, depending on the O/S.
It's a sysctl on NetBSD>
>
>However, I've found in many cases that TCP keepalive is simply broken
>(not in NetBSD, but broken anywhere along the path is broken for the
>entire path).
Hmm -- details? I'm surprised that anything else notices.
>
>>(This is the reason why, for example, OpenSSH contains a protocol-level
>>keepalive mechanism, which sends packets much more frequently).
Not a bad idea, though from what I can see it's solely a server option;
there's no way a client -- say, one behind a @#$%^ NAT box -- can
generate such messages (at least not that I see from a quick glance at
the code).
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb