On Tue, Sep 29, 2020 at 11:13:59AM -0400, Stefan Monnier wrote:
In general it's kind of dumb on modern hardware to expire sessions
that are still exchanging TCP keepalives unless you're under extreme
pressure from a DoS attack or somesuch.
Indeed, I'd be *very* surprised if a connection was dropped despite
exchange of TCP keepalives. It seems much more likely that the
keepalives aren't used by the application (quite common and normal) or
that they get filtered somewhere.
Nope, it's reasonably common on the internet and a complete PITA.
But people rarely get to choose the other end's firewall
configuration, so enter kludges like the ssh protocol keepalives.
According to `man ssh(d)_config` one reason to use SSH's `Clientalive` or
`ServerAlive` is that, contrary to TCP keepalives, it can't be spoofed.
The issue with spoofing is potentially *too much* keeping alive, and if
you read further that can be relevant if you for some reason need to
know that an ssh connection has died but (e.g.) a malicious third party
is using TCP keepalives to prevent ssh from knowing that the other end
is down. If the problem you're trying to solve is not enough keeping
alive (that is, your ssh connection is dying) rather than too much
keeping alive, this reason is irrelevant. The protocol keepalives
*also* fix the problem of firewalls timing out connections with TCP
keepalives. I don't know why the man page doesn't just say that, maybe
ideological opposition to accomodating firewall stupidity.