tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPfilter NAT and stalled TCP connexions



On 30 Mar 2010, at 00:00 , Michael Graff wrote:
On 3/26/10 9:31 AM, Chuck Swiger wrote:
>> Unless NetBSD has "sysctl net.inet.ip.ttl" set to less than 60, that low of 
>> a timeout can be expected to be too short.  In fact, I'd suggest that 
>> setting NAT timeouts to a minimum of least 5 minutes due to:
> 
> I don't think that sysctl is really a "time to live" in seconds as much
> as the badly named IP header TTL value, which is decremented on each
> forward through a router.  It's loop prevention not NAT related.

It wasn't badly named when it was named, and the field wasn't just
for loop protection.  Originally routers were required to decrement
the ttl by 1 for each second they held a packet, rounded up, with
the purpose being to protect TCP against (theoretical) corruption
from very-late-arriving segments.  It was only later (RFC 1812) that
this behaviour was made optional, given that no almost routers had
implemented the time-based decrement and no TCP problems had ever been
observed in practice.

It is true, however, that this value has nothing to do with NAT.

Dennis Ferguson


Home | Main Index | Thread Index | Old Index