[OpenAFS] rxtcp, rxutcp

Buhrmaster, Gary gtb@slac.stanford.edu
Thu, 30 Mar 2006 09:52:13 -0800


This is a multi-part message in MIME format.

------=_NextPart_000_00C1_01C653DF.9E523D40
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit


> I have found that with the Linksys routers that SSH sessions 
> drop after
> 10 or 15 minutes of being idle if the server decides it wants to send
> data to the client.   It may be that the NAT will allow the client to
> re-use the same external port if it sends data, but the mapping is
> certainly removed in the in-bound direction after a relatively short
> period of time.

That is not usually the case.  Once the session is "terminated",
things start over (you might get the same outgoing port, but
that is an accident, not a design point).

There are *good* firewalls/nat devices, and there are *bad* ones.
The *good* ones (the major vendors like Juniper, Cisco, Checkpoint)
do a better job of tracking the session state (tracking all the
SYN/ACK/FIN transitions, even across multiple redundent 
load-sharing firewalls) to protect against premature session 
timeout while releasing state as soon as possible when one side 
closes the session.  And they are all manageable (and usually 
*require* managing) by network professionals who actually 
understand firewalls and nat, and can tune the devices for 
unusual activities or protocols (whether they will at your 
site is an exercise for the customer).  Some did (not sure 
they all still do), inject a "probe" packet into the stream 
(either a zero byte packet to force a window response, or
resending the some packets) to verify the connection was still
active.

The Linksys's of the world are in a different design point 
(presuming the people using them could not change a default 
if their life depended on it), and have a primary testing
point of those applications that home users are expected
to use (web browsing, mail retrieval).  Since home customers
do not use AFS (from the vendors point of view), AFS 
friendlyness is not the design point.

That all said, if the rxtcp protocol implements an occasional
"ping" across the transport (in either direction), where
occasional is probably around 5 minutes (but probably
should be configurable), I know of no NAT box that would
not keep the TCP session active.  Of course, one will still
need to handle the occasional TCP session disconnect (just
like NFS over TCP has to do so).

Gary Buhrmaster
SLAC Computer Security
SLAC Networking

------=_NextPart_000_00C1_01C653DF.9E523D40
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCCAwEw
ggJqoAMCAQICEAhAmUwHgQy31U3IjbfeZ0cwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDMyMzIzMTY0MVoXDTA3MDMyMzIzMTY0
MVowZDETMBEGA1UEBBMKQnVocm1hc3RlcjENMAsGA1UEKhMER2FyeTEYMBYGA1UEAxMPR2FyeSBC
dWhybWFzdGVyMSQwIgYJKoZIhvcNAQkBFhVndGJAc2xhYy5zdGFuZm9yZC5lZHUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkK/x8feg/yqrM+o924590xpCHso6ozI9xtMfNyoQOoPqw
v/FMHB7B62D09NxH84M9LKKbELnV3a6QQvVvJJEG49LmY15Jh3Srw5zigKlg37ToHBn0Ttgihp/2
ZPKeekWD7pV/drmNlqTJ+lsIKQtLT72GukEuQDZwcApzm12WRzpBdPpJ0ML+y8cciCORdgNu2T2Y
jJuUDNYDbEbMQWfZIlrcUvVCSKykP1LZmDwjRmUDHiIAss2Zq052Gx16wGe92qQIt9vn73HvTHnX
fJxWIsjBIEy77OKsSXiGIY9yTsMC/4ZPcGXmIUegZofwBFiYPiKKHm0BKWCHIE6N8FOHAgMBAAGj
MjAwMCAGA1UdEQQZMBeBFWd0YkBzbGFjLnN0YW5mb3JkLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqG
SIb3DQEBBAUAA4GBAJwTTKAsmuPH7spVWEZo+e3AtNXumgTp97wSJbpvHH4gsyRtnDqenEmf/Luk
IFFyzUpQkaZq0baG8rDoHCmv5vlG/bpjH6Jrc1L0nIibSO8DjuqZmoCD9wQRlwwzTf1pLBVUKluC
Cqzc+jjKGRollT2NmxoSDrsHX9dRZunbRgXIMIIDLTCCApagAwIBAgIBADANBgkqhkiG9w0BAQQF
ADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBU
b3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSsw
KQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk2MDEwMTAwMDAw
MFoXDTIwMTIzMTIzNTk1OVowgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUx
EjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsT
H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1GnX1LCUZFtx6UfYDFG26nKRsIRefS0Nj3sS
34UldSh0OkIsYyeflXtL734Zhx2G6qPduc6WZBrCFG5ErHzmj+hND3EfQDimAKOHePb5lIZererA
Xnbr2RSjXW56fAylS1V/Bhkpf56aJtVquzgkCGqYx7Hao5iR/Xnb5VrEHLkCAwEAAaMTMBEwDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQDH7JJ+Tvj1lqVnYiqk8E0RYNBvjWBYYawm
u1I1XAjPMPuoSpaKH2JCI4wXD/S6ZJwXrEcp352YXtJsYHFcoqzceePnbgBHH7UNKOgCneSa/RP0
ptl8sfjcXyMmCZGAc9AUG95DqYMl8uacLxXK/qarigd1iwzdUYRr5PjRzneigTCCAz8wggKooAMC
AQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENh
cGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNV
BAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJz
b25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl
LmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYD
VQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqq
P3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEE
QB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSG
Mmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1Ud
DwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZI
hvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw
PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTl
EBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggN5MIIDdQIBATB2MGIxCzAJBgNVBAYTAlpBMSUw
IwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQCECZTAeBDLfVTciNt95nRzAJBgUrDgMCGgUAoIIB
2DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNjAzMzAxNzUyMTJa
MCMGCSqGSIb3DQEJBDEWBBRU9tJId01bno3ljcm/7rl0Kp+RvzBnBgkqhkiG9w0BCQ8xWjBYMAoG
CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG
9w0DAgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYDVQQG
EwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEAhAmUwHgQy31U3IjbfeZ0cwgYcGCyqG
SIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EC
EAhAmUwHgQy31U3IjbfeZ0cwDQYJKoZIhvcNAQEBBQAEggEARiLSzgE7UhycKYRXH6Yg98YVo/Oh
fLHtxHfnHisptdTJA6tcZmGMmBiT+ir4M2tKZ8VE4kyiEu3g5fzZX5X6C7ArnEPYgKTgX19zKAXM
5FY5a0n9Bq8wtys5vgU/J9/AbJiPtSFAuByYu8qNqI1/O7c2zrvwnpJZOvroAg0kH7qMjcci1SJO
Gk9OaUatNXqcX/N2hnYjaMuw+Iuyb60dg3bnv1Z0v5ewiCxaiEXperxQpQISaLzNL2qPp7LvRz/r
FpGN/Ig19vsBWjD9hAV9NTWuq2QnYIEvLx+4ZC41PHm37aHQAezvd3HqY9uoJqTa4fTsT1NM4Ewu
Kez/6dIniwAAAAAAAA==

------=_NextPart_000_00C1_01C653DF.9E523D40--