[Box Backup-dev] Timeouts

Chris Wilson boxbackup-dev@fluffy.co.uk
Thu, 7 Dec 2006 11:56:44 +0000 (GMT) 

Hi Martin and Ben,

On Thu, 7 Dec 2006, Martin Ebourne wrote:

> Ben Summers <ben@fluffy.co.uk> wrote:
>> Is it possible to just set really long timeouts on the underlying SSL / 
>> TCP/IP sockets?
[...]
> An alternative is tcp level keepalives. You can do these by setting 
> SO_KEEPALIVE which I think is POSIX. However, controlling how often they 
> occur is somewhat more difficult. eg. On linux you can use the TCP_KEEPIDLE 
> etc socket options, but on some systems its a kernel parameter change.
>
> I've no idea if openssl has anything protocol level we can use here, 
> otherwise the only really portable and controllable way is to do it 
> manually.

I guess there is not a good way to do it at the TCP or SSL level, because 
OpenSSH implements its own mechanism. From ssh_config(5):

ServerAliveInterval

   Sets a timeout interval in seconds after which if no data has been
   received from the server, ssh will send a message through the encrypted
   channel to request a response from the server.
   [...]
   It is important to note that the use of server alive
   messages is very different from TCPKeepAlive (below).  The
   server alive messages are sent through the encrypted channel and
   therefore will not be spoofable.  The TCP keepalive option enabled
   by TCPKeepAlive is spoofable.  The server alive mechanism is
   valuable when the client or server depend on knowing when a
   connection has become inactive.

TCPKeepAlive

   Specifies whether the system should send TCP keepalive messages
   to the other side.  If they are sent, death of the connection or
   crash of one of the machines will be properly noticed.  This
   option only uses TCP keepalives (as opposed to using ssh level
   keepalives), so takes a long time to notice when the connection
   dies.  As such, you probably want the ServerAliveInterval option
   as well. However, this means that connections will die if the
   route is down temporarily, and some people find it annoying.

Cheers, Chris.
-- 
_ ___ __     _
  / __/ / ,__(_)_  | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |