[WireGuard] NAT-T Keepalives

Baptiste Jonglez baptiste at bitsofnetworks.org
Thu Jul 7 18:58:40 CEST 2016


Just a small note: this would not be useful just for NAT, but also for
stateful firewalls.  It is not uncommon to have a stateful firewall
directly on end hosts (I think Fedora does this by default?), and
keepalives would prevent the mapping there from expiring.

The same goes for IPv6: most home routers have a stateful firewall by
default, even though they don't do IPv6 NAT (hopefully).

On Thu, Jul 07, 2016 at 06:33:11PM +0200, Jason A. Donenfeld wrote:
> It seems evident that, like every other UDP protocol on the planet,
> WireGuard needs to support what I'm calling "persistent keepalives". I
> call it persistent to distinguish it from the encrypted ones which are
> opportunistic. There are several other important differences:
> 
> a) The persistent keepalive does not need an active session and does
> not need to send any encrypted data. It simply is a UDP packet to the
> endpoint. The payload doesn't matter for the purpose of just keeping
> the NAT mapping alive.

Why not simply use the same technique as the opportunic keepalives, then?
(encrypted payload)

One small advantage over the "empty UDP packet" method is that it will
also refresh the "latest handshake" timer shown in wg (or whatever GUI
people will build on top of wireguard).  From a user perspective, it's
nice to know that the VPN is still alive.

> b) The persistent keepalive is optional. It is a configuration option
> in seconds. "0" means off. "60" means send once per minute. And so
> forth. By default it is off.
> 
> So, now there are several things to decide:
> 
> 1. What should the payload be? Should it be a single fixed byte? Or
> should it be a zero length UDP packet?

I wouldn't be surprised that some middleboxes drop zero-length UDP
packets, but I don't have any data...

> 2. What is an acceptable minimum interval? Every 5 seconds?
> 3. What is an acceptable maximum interval? 3600 seconds?
> 4. What is a good interval to show in documentation examples that will
> work for most people?

30 seconds?

> 5. Is there a good resource for real world NAT mapping timings found
> in the wild?
> 
> After this feature is ironed out, I'll be pushing a new experimental
> snapshot. This is currently the most visible headache of WireGuard and
> I'd like to get it ironed out sooner rather than later.
> 
> What are your thoughts?
> 
> Thanks,
> Jason
> _______________________________________________
> WireGuard mailing list
> WireGuard at lists.zx2c4.com
> http://lists.zx2c4.com/mailman/listinfo/wireguard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20160707/4dda6519/attachment.asc>


More information about the WireGuard mailing list