[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and IPSEC INCOMPATIBLE???




Let me try to respond. I will assume, you are refering to a specific
flavor of NAT, called Network Address Port Translator (NAPT).

NAT is session-based and does not operate on a per-packet basis.
I.e., once a session is permitted by NAT in a certain direction,
packets flowing in either direction will undergo translation.
So, I will further assume, you are refering to a new inbound 
session directed to a well-known TCP/UDP port on the NAPT device.

Now, when a new session is initiated to port X on the NAPT device, 
the session will be directed, by default, to the NAPT. 
However, as Mr. Krzysztof pointed, it is possible to set up a 
static policy to redirect the session to a different host within
the address realm supported by NAT. For example, if the NAT device 
does not have FAX service available on the box, it may be redirected
to a host that does have it. 

cheers,
suresh

> 
> Let me repeat my question: If a packet comes in on port X on the NAT
> gateway, how do you know whether the packet really goes to port X on
> host Y or port X on host Z?  Remember, this is a protocol with a known
> port (port X)... It ALWAYS sits on port X.  So, how do you address
> "port X on host Y" when "host Y" is behind a NAT gateway?
> 
> -derek
> 
> Pakulski Krzysztof-LKP014 <Krzysztof_Pakulski-LKP014@email.mot.com> writes:
> 
> > 
> > I believe that one of the possibilities to make static binding.
> > 
> > If something comes to port X on NAT gateway, it is forwarded to port Y on
> > host Z, if policy allowes that.
> > 
> > Krzysztof
> > > ----------
> > > From: 	Derek Atkins[SMTP:warlord@MIT.EDU]
> > > Sent: 	Thursday, June 10, 1999 3:45 PM
> > > To: 	pcalhoun@eng.sun.com
> > > Cc: 	Pyda Srisuresh; danmcd@Eng.Sun.Com; johnbr@elastic.com;
> > > ipsec@lists.tislabs.com
> > > Subject: 	Re: NAT and IPSEC INCOMPATIBLE???
> > > 
> > > How can you do port address translation on known incoming ports?  For
> > > example, what do I do if I need to get to port X on your host, which
> > > is sitting behind a NAT firewall?  Obviously I don't know you're
> > > sitting behind a NAT gateway; how is the NAT gateway supposed to know
> > > that a packet coming to port X is destined for host Y or host Z, both
> > > of whom may be using these NAT-unfriendly protocols?
> > > 
> > > And no, an answer of "don't use NAT-unfriendly protocols" is not a
> > > valid answer, as many of these protocols were developed years (or
> > > decades) before NAT.
> > > 
> > > -derek
> > > 
> > > "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com> writes:
> > > 
> > > > 
> > > > agreed, but my comment was directed to the use of NAT in hotels. It was
> > > not
> > > > inteded to be IPSec specific. I had *assumed* that they were doing port
> > > > translation (to conserve addresses).
> > > > 
> > > > 
> > > > PatC
> > > > > 
> > > > > Pat,
> > > > > 
> > > > > The accessability provided by NAPT (Network Address Port Translator)
> > > > > is not any less than the accessibility provided by a host with a 
> > > > > single address. 
> > > > > 
> > > > > Further, Bidirectional-NAT does not preclude inbound connections.
> > > > > It simply does address multiplexing - optimal use of limited
> > > > > addresses available.
> > > > > 
> > > > > I suggest you take a look at <draft-ietf-nat-terminology-03.txt>
> > > > > prior to spreading misinformation. 
> > > > > 
> > > > > cheers,
> > > > > suresh
> > > > > 
> > > > > > 
> > > > > > And just to make matters worse, I could not have anyone connect
> > > directly to me
> > > > > > thanks to NAT (i.e. ftp, SIP, etc).
> > > > > > 
> > > > > > PatC
> > > > > > 
> > > > > > > > > By the way, there are certain markets where NAT is a
> > > requirement (such as
> > > > > > > > > running IP to the guest rooms in hotels)
> > > > > > > 
> > > > > > > Until the hotels get more customers like Pat, who say that...
> > > > > > > 
> > > > > > > > hmm... so I HAVE to trust my hotel? What kind of customers are
> > > they looking
> > > > > > > > for? If they are looking for the commuter, then NAT is a bad
> > > thing since I
> > > > > > > > will want to encrypt my data back to my corporate network.
> > > > > > > 
> > > > > > > And by then they'll be looking for another alternative.
> > > > > > > 
> > > > > > > > > and IPSec is also extremely high profile.   It would help
> > > everyone out if
> > > > > > > > > there was a built-in method to scale arbitarily
> > > > > > > > > large for address translated IPSec connections - just with
> > > ESP, I don't
> > > > > > > > > think that AH is as important to these users.
> > > > > > > 
> > > > > > > And that alternative is IPv6.  ESP works just fine over that.
> > > > > > > 
> > > > > > > Dan
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > 
> > > > 
> > > 
> > > -- 
> > >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > >        Member, MIT Student Information Processing Board  (SIPB)
> > >        URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
> > >        warlord@MIT.EDU                        PGP key available
> > > 
> 
> -- 
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
>        warlord@MIT.EDU                        PGP key available
> 



Follow-Ups: References: