 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
Dana J. Dawson wrote: > You make it sound as it's a commonly accepted fact . Well, it's not. > There is nothing wrong with 'abnormally' Long/short TCP sessions. > Consider SSH, IMAP, PPTP and multitude of instant messaging protocols > as few examples.There may be nothing wrong with "abnormally long" TCP sessions from a TCP or a security standpoint (I'm ignoring the concept of an "abnormally short" TCP session, since I don't believe such a thing exists), but when devices that track the states of those sessions are involved, such as firewalls, then there are very real issues that could be considered problems. Such devices have to allocate resources for each connection, so they must impose an idle timeout of some sort or risk eventual failure due to lack of resources. Not really. Timing out idle connections is neither neccessary nor sufficient to resolve and/or prevent resource exhaustion. If the firewall does encounter the lack of resources it'd be more reasonable to drop least recently active connection, but timing it out 'preventively' serves no clear purpose. Idle TCP timeouts is more as a functional feature rather than an implementation caveat. _______________________________________________ VPN mailing list [EMAIL PROTECTED] http://lists.shmoo.com/mailman/listinfo/vpn
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.