[WireGuard] NAT-T Keepalives
Bruno Wolff III
bruno at wolff.to
Thu Jul 7 19:57:22 CEST 2016
On Thu, Jul 07, 2016 at 18:33:11 +0200,
"Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
>
>The most bootleg solution for this is to just run "ping $server" from
>userspace. What a disgusting fix.
This also forces encrypted traffic, which your solution would avoid.
>1. What should the payload be? Should it be a single fixed byte? Or
>should it be a zero length UDP packet?
The packet doesn't even need to make it to the endpoint, just through
the NAT or firewall. So you don't want something that would get blocked
by those. I don't know of anything that would be likely to. Otherwise
you probably want minimum resources expended by the end points producing
and receiving the packet.
>5. Is there a good resource for real world NAT mapping timings found
>in the wild?
Our NAT defaults to one minute for random UDP ports. So 30 seconds seems
like a reasonable time if there isn't much packet loss.
>What are your thoughts?
It sounds like a nice improvement.
More information about the WireGuard
mailing list