[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and IPSEC INCOMPATIBLE???
>
> Which works fine provided you don't have multiple machines sitting
> behind the NAT gateway that all want to use that service.
^^^
You are right. It works fine so long as you dont have multiple
machines, all wanting to OFFER the same service. This is no less
than what a host with a single IP address can offer. But, multiple
hosts in the private realm are able to access the same external
service using the single IP address of the NAPT. That is the
benefit that NAPT brings.
> As I said,
> I know (and use) protocols where my (client) machine needs to be
> contacted on a standard port by a server. These protocols just fail
> under NAT.
In the protocols you refer to, the server knows its clients, ahead
of time, by name (or unicast-IP address) and intitiates service by
contacting the clients, right. This is reverse of the client-server
concept as generally understood.
Anyways, in such a case, NAPT is not the device to use. You need a
bi-directional-NAT that has a pool of addresses in the external realm.
NAPT is specifically designed for applications that can take advantage
of port multiplexing.
>
> -derek
>
cheers,
suresh
> Pyda Srisuresh <suresh@livingston.com> writes:
>
> >
> >
> > Let me try to respond. I will assume, you are refering to a specific
> > flavor of NAT, called Network Address Port Translator (NAPT).
> >
> > NAT is session-based and does not operate on a per-packet basis.
> > I.e., once a session is permitted by NAT in a certain direction,
> > packets flowing in either direction will undergo translation.
> > So, I will further assume, you are refering to a new inbound
> > session directed to a well-known TCP/UDP port on the NAPT device.
> >
> > Now, when a new session is initiated to port X on the NAPT device,
> > the session will be directed, by default, to the NAPT.
> > However, as Mr. Krzysztof pointed, it is possible to set up a
> > static policy to redirect the session to a different host within
> > the address realm supported by NAT. For example, if the NAT device
> > does not have FAX service available on the box, it may be redirected
> > to a host that does have it.
> >
> > cheers,
> > suresh
> >
> > >
> > > Let me repeat my question: If a packet comes in on port X on the NAT
> > > gateway, how do you know whether the packet really goes to port X on
> > > host Y or port X on host Z? Remember, this is a protocol with a known
> > > port (port X)... It ALWAYS sits on port X. So, how do you address
> > > "port X on host Y" when "host Y" is behind a NAT gateway?
> > >
> > > -derek
> > >
> > > Pakulski Krzysztof-LKP014 <Krzysztof_Pakulski-LKP014@email.mot.com> writes:
> > >
> > > >
> > > > I believe that one of the possibilities to make static binding.
> > > >
> > > > If something comes to port X on NAT gateway, it is forwarded to port Y on
> > > > host Z, if policy allowes that.
> > > >
> > > > Krzysztof
> > > > > ----------
> > > > > From: Derek Atkins[SMTP:warlord@MIT.EDU]
> > > > > Sent: Thursday, June 10, 1999 3:45 PM
> > > > > To: pcalhoun@eng.sun.com
> > > > > Cc: Pyda Srisuresh; danmcd@Eng.Sun.Com; johnbr@elastic.com;
> > > > > ipsec@lists.tislabs.com
> > > > > Subject: Re: NAT and IPSEC INCOMPATIBLE???
> > > > >
> > > > > How can you do port address translation on known incoming ports? For
> > > > > example, what do I do if I need to get to port X on your host, which
> > > > > is sitting behind a NAT firewall? Obviously I don't know you're
> > > > > sitting behind a NAT gateway; how is the NAT gateway supposed to know
> > > > > that a packet coming to port X is destined for host Y or host Z, both
> > > > > of whom may be using these NAT-unfriendly protocols?
> > > > >
> > > > > And no, an answer of "don't use NAT-unfriendly protocols" is not a
> > > > > valid answer, as many of these protocols were developed years (or
> > > > > decades) before NAT.
> > > > >
> > > > > -derek
> > > > >
> > > > > "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com> writes:
> > > > >
> > > > > >
> > > > > > agreed, but my comment was directed to the use of NAT in hotels. It was
> > > > > not
> > > > > > inteded to be IPSec specific. I had *assumed* that they were doing port
> > > > > > translation (to conserve addresses).
> > > > > >
> > > > > >
> > > > > > PatC
> > > > > > >
> > > > > > > Pat,
> > > > > > >
> > > > > > > The accessability provided by NAPT (Network Address Port Translator)
> > > > > > > is not any less than the accessibility provided by a host with a
> > > > > > > single address.
> > > > > > >
> > > > > > > Further, Bidirectional-NAT does not preclude inbound connections.
> > > > > > > It simply does address multiplexing - optimal use of limited
> > > > > > > addresses available.
> > > > > > >
> > > > > > > I suggest you take a look at <draft-ietf-nat-terminology-03.txt>
> > > > > > > prior to spreading misinformation.
> > > > > > >
> > > > > > > cheers,
> > > > > > > suresh
> > > > > > >
> > > > > > > >
> > > > > > > > And just to make matters worse, I could not have anyone connect
> > > > > directly to me
> > > > > > > > thanks to NAT (i.e. ftp, SIP, etc).
> > > > > > > >
> > > > > > > > PatC
> > > > > > > >
> > > > > > > > > > > By the way, there are certain markets where NAT is a
> > > > > requirement (such as
> > > > > > > > > > > running IP to the guest rooms in hotels)
> > > > > > > > >
> > > > > > > > > Until the hotels get more customers like Pat, who say that...
> > > > > > > > >
> > > > > > > > > > hmm... so I HAVE to trust my hotel? What kind of customers are
> > > > > they looking
> > > > > > > > > > for? If they are looking for the commuter, then NAT is a bad
> > > > > thing since I
> > > > > > > > > > will want to encrypt my data back to my corporate network.
> > > > > > > > >
> > > > > > > > > And by then they'll be looking for another alternative.
> > > > > > > > >
> > > > > > > > > > > and IPSec is also extremely high profile. It would help
> > > > > everyone out if
> > > > > > > > > > > there was a built-in method to scale arbitarily
> > > > > > > > > > > large for address translated IPSec connections - just with
> > > > > ESP, I don't
> > > > > > > > > > > think that AH is as important to these users.
> > > > > > > > >
> > > > > > > > > And that alternative is IPv6. ESP works just fine over that.
> > > > > > > > >
> > > > > > > > > Dan
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > --
> > > > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > > > Member, MIT Student Information Processing Board (SIPB)
> > > > > URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> > > > > warlord@MIT.EDU PGP key available
> > > > >
> > >
> > > --
> > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > Member, MIT Student Information Processing Board (SIPB)
> > > URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> > > warlord@MIT.EDU PGP key available
> > >
> >
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> warlord@MIT.EDU PGP key available
>
References: