From owner-freebsd-security Fri Aug 10 21: 3:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from red.whoowl.com (dsl-65-184-21-205.telocity.com [65.184.21.205]) by hub.freebsd.org (Postfix) with SMTP id 0C2F337B405 for ; Fri, 10 Aug 2001 21:03:18 -0700 (PDT) (envelope-from jvb@whoowl.com) Received: (qmail 21044 invoked by uid 85); 11 Aug 2001 04:03:21 -0000 Received: from jvb@whoowl.com by red.whoowl.com with qmail-scanner-0.96 (hbedv: 6.8.0.0. . Clean. Processed in 1.988532 secs); 11 Aug 2001 04:03:21 -0000 X-Qmail-Scanner-Mail-From: jvb@whoowl.com via red.whoowl.com X-Qmail-Scanner-Rcpt-To: freebsd-security@FreeBSD.ORG X-Qmail-Scanner: 0.96 (No viruses found. Processed in 1.988532 secs) Received: from unknown (HELO black) (192.168.0.107) by 65.184.21.205 with SMTP; 11 Aug 2001 04:03:18 -0000 Message-ID: <004701c1221a$89c57dc0$6b00a8c0@vanbo.whoowl.com> From: "John Van Boxtel" Cc: References: Subject: Re: distributed natd Date: Fri, 10 Aug 2001 21:02:37 -0700 Organization: Whoowl.com MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Not quite, I'm afraid. If a host shuts down it will close open > connections; yet if it dies suddenly (power down, cable cut, etc.) you > will get connection timeout. Unfortunately we should switch gateways ASAP > after failure. Standard TCP timeout seems too long for me. Do you know any > way to shorten this time? Therefore I would rather make gateways "ping" > each other over the link say once a second. There's a technique IRC > servers use to check if client is still alive: once a minute or so they > send the client a "PING" command; if the client does not say "PONG" > without given interval they assume it's dead an shut down the connection. > Something like that could be used here. Of course if TCP connection shuts > down it would also signal that something is wrong. So maybe a persistant TCP connection that sends keep alive type packets. > > This would not be useful for telling if that gateway no longer has > > an upstream connection > If a gateway is alive and looses it's upstream connection and knows it > (interface down, inability to ping next router, etc.) it could detect it > and send the appropriate message to peer gateways. Keeping with the above ping pong idea, maybe instead of icmp packets you can stick with TCP and have the data in the packet have some sort of "upstream ok" / "upstream down" bit in it... > > Interesting stuff :-) > Yeah. I like this subject too. :-) Always fun to think about thinks that have not been tried, of course maybe this all has and we are talking about this thing called the wheel... JVB To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message