Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC

[james woodyatt <jhw@apple.com>]

On Apr 28, 2009, at 07:52, Joel Jaeggli wrote:
> teemu.savolainen@nokia.com wrote:
> > > -----Original Message-----
> > > From: ext Dan Wing [mailto:dwing@cisco.com]
> > > Sent: 24 April, 2009 21:01
> > >
> > > > I wonder why the minimum time could not be longer for IPv6? The  
> > > > longer the time the less need to activate radio for keep-alive  
> > > > sending (on either side of the firewall btw - consider a case  
> > > > where CPE has wireless WAN). In CGN case short timeout is  
> > > > understandable due need to save public ports,
>
> Having multiple assumed possibilities for timeouts means as an  
> application developer you can only use the lowest one, at least if  
> you want your stuff to work.

All true.  I copied the two-minute timer from RFC 4787 on the general  
idea that duplicating the filtering behavior of IPv4 NAT is the basic  
frame of what we're doing.

> > Two hours seems a long time to leave your door open.
>
> True, but my main intent was to ask why the 2 minutes time period  
> was chosen, and not e.g. 100% longer of four minutes.

I agree that a longer DEFAULT timeout for IPv6 state records may be  
more reasonable given that we don't have a port conservation problem  
caused by address amplification.  I have no problem with four  
minutes.  Longer than that, however, and I would object.  Two hours is  
just completely out of the question for a connectionless transport.

So, can the working group give me a more reasonable number to use in  
the -06 revision I'm composing today?  Otherwise, I'll just increase  
it from two to four minutes, and we'll revisit in -07 if necessary.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering