Re: IPfilter NAT and stalled TCP connexions

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Mar 26, 2010, at 9:21 AM, Greg Troxel wrote:

> 
> Emmanuel Dreyfus <manu%netbsd.org@localhost> writes:
> 
>> Hello
>> 
>> I use IPFilter on a gateway, to perform 1:1 NAT mapping, and I have
>> an annoying problem with stalled TCP connexions.
>> 
>> As I understand, the default lifetime of a TCP mapping in the NAT table
>> is one minute. After one minute of inactivity for the TCP connexion, the
>> mapping vanishes. If the client sends data, the mapping is reinstantiated
>> and the TCP connexion resumes normally.
>> 
>> But if the servers sends data on a TCP connexion that has no NAT mapping
>> at the moment, the data will not get through. When later the client will
>> send data and reinstantiate the mapping, it has a hard time restoring
>> the TCP connexion to a usable state. It can remain hang for several
>> seconds, or just be disconnected.
>> 
>> Question: how can that be fixed? I canincrease the mapping lifetime,
>> but I suspect I will run into ressource shortage.
> 
> Basically I think you have to increase the mapping lifetime.  I think
> ipfilter will remove mappings on connection close.  I see your point
> about resources limits, but that's what you get for violating the e2e
> design of IP - if you need state in the middle, then you need it.
> 
> 1 minute sounds crazy to me for a NAT timeout.  I've run into tables set
> for 1 hour and complained about them.  I'd say try 8 hours and see how
> that goes.

Agreed.  (I have a little script -- while true; do sleep 60; echo -n .; done -- 
that I run on idle ssh connections when in hotels with crazy timeouts....)

                --Steve Bellovin, http://www.cs.columbia.edu/~smb