[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal



"Jayant Shukla" <jshukla@trlokom.com> writes:

> > Note that RSIP != NAT (per se).  Since RSIP requires interaction
> > between the sending client and the translator gateway, I don't see a
> > problem with the NAT traversal drafts.  If the client is RSIPsec
> > aware, then it does not need IPsec NAT traversal (because it knows
> > what the external address will be).  So, what's the problem?  If it's
> > using RSIP, it doesn't use NAT Traversal.  It's sort of like if you're
> > using TCP on a socket, you can't use UDP on that socket.
> > 
> > So, again, I don't see the problem.  There are two protocols that
> > effectively do the same thing; you just cannot use them both at the
> > same time.  However, the client KNOWS when it's using one of them so
> > it can make the choice about which one to use.
> > 
> > -derek
> 
> So you have concluded that there is NO problem? This is great, just a
> while ago you had no clue how the pass-thru worked and now you have
> concluded that there is no problem. Amazing!

Note that I started with RSIP != NAT.  I still maintain this.  RSIP
requires client interaction with the gateway (RSIP server) for it
to work.  Sure, you can base a multiplexing on the SPI if the client
is going to tell it to the gateway.  But that is __NOT__ a NAT.  NAT
boxes imply a box that just munges packets.

My point is that what you are complaining about, NAT-T v. RSIP, isn't
an issue, because the client would know not to use NAT-T if they are
using RSIP.  Considering the client needs to be aware of (and involved
in) the RSIP negotiation, they can easily not perform the NAT-T
negotiation, too.

> Regards,
> Jayant

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com