From owner-freebsd-security Fri Aug 10 11:48: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id 3826C37B401 for ; Fri, 10 Aug 2001 11:48:00 -0700 (PDT) (envelope-from kzaraska@student.uci.agh.edu.pl) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id D4DE81C88; Fri, 10 Aug 2001 20:48:32 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 830385493; Fri, 10 Aug 2001 20:48:32 +0200 (CEST) Date: Fri, 10 Aug 2001 20:48:32 +0200 (CEST) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: John Van Boxtel Cc: freebsd-security@FreeBSD.ORG Subject: Re: distributed natd In-Reply-To: <010c01c121b9$461f3040$6b00a8c0@vanbo.whoowl.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 10 Aug 2001, John Van Boxtel wrote: > > Next, I don't know whether they should communicate over TCP or UDP. I > > would use UDP since it might be faster and it allows broadcasts (one > > firewall broadcasting changes to all others on the secure network) but is > > unreliable. A persistent TCP connection may be also considered. > > The persistent TCP connection could be used well as if the connection > dropped this could signal that the other gateway is down for whatever > reason. Not quite, I'm afraid. If a host shuts down it will close open connections; yet if it dies suddenly (power down, cable cut, etc.) you will get connection timeout. Unfortunately we should switch gateways ASAP after failure. Standard TCP timeout seems too long for me. Do you know any way to shorten this time? Therefore I would rather make gateways "ping" each other over the link say once a second. There's a technique IRC servers use to check if client is still alive: once a minute or so they send the client a "PING" command; if the client does not say "PONG" without given interval they assume it's dead an shut down the connection. Something like that could be used here. Of course if TCP connection shuts down it would also signal that something is wrong. > This would not be useful for telling if that gateway no longer has > an upstream connection If a gateway is alive and looses it's upstream connection and knows it (interface down, inability to ping next router, etc.) it could detect it and send the appropriate message to peer gateways. > Interesting stuff :-) Yeah. I like this subject too. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message