[VPN] Application timeouts over VPN...HELP!
Alex Pankratov
alex at cipherica.com
Sun Apr 13 04:14:31 EDT 2003
Dana J. Dawson wrote:
> > You make it sound as it's a commonly accepted fact . Well, it's not.
> > There is nothing wrong with 'abnormally' Long/short TCP sessions.
> > Consider SSH, IMAP, PPTP and multitude of instant messaging protocols
> > as few examples.
>
> There may be nothing wrong with "abnormally long" TCP sessions from a
> TCP or a security standpoint (I'm ignoring the concept of an "abnormally
> short" TCP session, since I don't believe such a thing exists), but when
> devices that track the states of those sessions are involved, such as
> firewalls, then there are very real issues that could be considered
> problems. Such devices have to allocate resources for each connection,
> so they must impose an idle timeout of some sort or risk eventual
> failure due to lack of resources.
Not really. Timing out idle connections is neither neccessary nor
sufficient to resolve and/or prevent resource exhaustion. If the
firewall does encounter the lack of resources it'd be more reasonable to
drop least recently active connection, but timing it out 'preventively'
serves no clear purpose. Idle TCP timeouts is more as a functional
feature rather than an implementation caveat.
More information about the VPN
mailing list