[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-gnutls] Re: Announcement: Yet another GnuTLS-using program: Mandos
|
From: |
Simon Josefsson |
|
Subject: |
[Help-gnutls] Re: Announcement: Yet another GnuTLS-using program: Mandos |
|
Date: |
Thu, 09 Oct 2008 12:22:57 +0200 |
|
User-agent: |
Gnus/5.110011 (No Gnus v0.11) Emacs/22.2 (gnu/linux) |
Teddy Hogeborn <address@hidden> writes:
> Simon Josefsson <address@hidden> writes:
>
>> Teddy Hogeborn <address@hidden> writes:
>>
>>>> This might introduce network timeouts, but if the Mandos client is
>>>> robust about that there shouldn't be a problem.
>>>
>>> I'm not sure what you mean. Should not a TLS connection over TCP
>>> be alive indefinitely even if no data is sent over it?
>>
>> NAT firewalls tend to drop TCP sessions without any traffic over
>> them after some time. Possibly the client could retry after some
>> interval. Maybe your protocol could contain a ping-function. This
>> would add some complexity, so for simplicity might be better to
>> avoid.
>
> If this really would be a problem for somebody, should not this simply
> be solved by setting SO_KEEPALIVE?
Possibly, although I'm not certain.
> Now, the system as it is today is restricted to the local network (no
> network configured in the initrd, so we use IPv6 link-local
> addresses), so this should never happen.
Ah, that changes the model somewhat. I guess it could be extended to
use DHCP and talk to a Mandos server somewhere else on the Internet
though.
/Simon