tcp_keepalive State Engine

The tcp_keepalive state engine is for use with protocols that spend long periods in an idle mode (telnet, for example). This state engine prevents the statetable entry from timing out if no packets are sent for a long time. Some SunScreen services (telnet, rlogin, ssh, X11) use tcp_keepalive by default. tcp_keepalive should be used for any TCP-based service that by its nature can include long periods of idle time.

tcp_keepalive causes the Screen to emit a "fake" keepalive packet to the session's source host, claiming to have been sent by the session's destination host. The keepalive packet is sent a few minutes before the Screen normally would drop the session. If the source host is still alive, it responds with an ACK, which causes the Screen to rejuvenate the session lifetime. The ACK is forwarded to the destination host, which responds if it is still alive. If either host has reset or timed out its end of the connection, it will respond with an RST, which causes the Screen to discard the session.

The tcp_keepalive state engine definition specifies that the first keepalive probe be sent 15 minutes before the session expires. If there is no response, multiple probes are sent, rapidly at first, then slowing: 900, 880, 860, 820, 740, 580, and 260 seconds before the session expires.

If you use this state engine for a service, it could lead to a connection being left open through the firewall for an extended period of time. Imagine, for example, someone telnets through the firewall, leaves the connection sitting at a prompt, and then goes on vacation for two weeks. Keepalive probes will continue to be successfully sent and the connection will stay open for two weeks.

It is up to the security administrator of the site to determine if use of this state engine is appropriate. Use of this state engine coupled with an inactivity timeout on login sessions would prevent such a situation from occurring and would make the firewall much more transparent to users, as there would be no "hung" sessions. Careful consideration should be given to the tradeoff between risk and convenience.

The tcp_keepalive state engine has two parameters:

• Lifetime of idle connection in seconds - Specifies the lifetime of an idle connection (default = 86400 seconds or 24 hours)

• Number of seconds before timeout that keepalive probes start