Date: Fri, 10 Aug 2001 20:48:32 +0200 (CEST) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: John Van Boxtel <jvb@whoowl.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: distributed natd Message-ID: <Pine.BSF.4.21.0108102028450.88285-100000@lhotse.zaraska.dhs.org> In-Reply-To: <010c01c121b9$461f3040$6b00a8c0@vanbo.whoowl.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 10 Aug 2001, John Van Boxtel wrote: > > Next, I don't know whether they should communicate over TCP or UDP. I > > would use UDP since it might be faster and it allows broadcasts (one > > firewall broadcasting changes to all others on the secure network) but is > > unreliable. A persistent TCP connection may be also considered. > > The persistent TCP connection could be used well as if the connection > dropped this could signal that the other gateway is down for whatever > reason. Not quite, I'm afraid. If a host shuts down it will close open connections; yet if it dies suddenly (power down, cable cut, etc.) you will get connection timeout. Unfortunately we should switch gateways ASAP after failure. Standard TCP timeout seems too long for me. Do you know any way to shorten this time? Therefore I would rather make gateways "ping" each other over the link say once a second. There's a technique IRC servers use to check if client is still alive: once a minute or so they send the client a "PING" command; if the client does not say "PONG" without given interval they assume it's dead an shut down the connection. Something like that could be used here. Of course if TCP connection shuts down it would also signal that something is wrong. > This would not be useful for telling if that gateway no longer has > an upstream connection If a gateway is alive and looses it's upstream connection and knows it (interface down, inability to ping next router, etc.) it could detect it and send the appropriate message to peer gateways. > Interesting stuff :-) Yeah. I like this subject too. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108102028450.88285-100000>