[Help-gnutls] Re: Announcement: Yet another GnuTLS-using program: Mandos
Simon Josefsson
simon at josefsson.org
Thu Oct 9 12:22:57 CEST 2008
Teddy Hogeborn <teddy at fukt.bsnet.se> writes:
> Simon Josefsson <simon at josefsson.org> writes:
>
>> Teddy Hogeborn <teddy at fukt.bsnet.se> writes:
>>
>>>> This might introduce network timeouts, but if the Mandos client is
>>>> robust about that there shouldn't be a problem.
>>>
>>> I'm not sure what you mean. Should not a TLS connection over TCP
>>> be alive indefinitely even if no data is sent over it?
>>
>> NAT firewalls tend to drop TCP sessions without any traffic over
>> them after some time. Possibly the client could retry after some
>> interval. Maybe your protocol could contain a ping-function. This
>> would add some complexity, so for simplicity might be better to
>> avoid.
>
> If this really would be a problem for somebody, should not this simply
> be solved by setting SO_KEEPALIVE?
Possibly, although I'm not certain.
> Now, the system as it is today is restricted to the local network (no
> network configured in the initrd, so we use IPv6 link-local
> addresses), so this should never happen.
Ah, that changes the model somewhat. I guess it could be extended to
use DHCP and talk to a Mandos server somewhere else on the Internet
though.
/Simon
More information about the Gnutls-help
mailing list