[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: "Jayant Shukla" <jshukla@trlokom.com>
Subject: Re: NAT Traversal
From: "Derek Atkins" <derek@ihtfp.com>
Date: 25 Feb 2002 11:36:15 -0500
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <000501c1be16$e7131530$0100a8c0@trlhpc1>
References: <000501c1be16$e7131530$0100a8c0@trlhpc1>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

"Jayant Shukla" <jshukla@trlokom.com> writes:

> > because the client would know not to use NAT-T if they are
> > using RSIP.  Considering the client needs to be aware of (and involved
> > in) the RSIP negotiation, they can easily not perform the NAT-T
> > negotiation, too.
> > 
> > 
> > -derek
> > 
> 
> 
> What makes you think the client is involved? IPsec pass-thru implemented
> in most low end NAT boxes is not complete RSIP as that would require
> modifications to client and the gateway. 

See what I said before about demon-spawn!!!  NAT traversal via IPsec
pass-thru[sic] is just plain wrong, broken, and lots of other words
that I don't want to use in mixed company.

> The simplification is that the client and gateway do not have to agree
> upon the cookie or SPI value. With this simplification the client has to
> do nothing about NAT traversal. There can be a problem (although
> unlikely) if two clients try to connect to the same domain. That is the
> reason manufacturers say these boxes support multiple client pass-thru
> sessions, but only one VPN session per VPN tunnel "terminator". 

Well, this is the problem, now, isn't it.  These boxes are trying to
be half-RSIP, and in the process of being half-RSIP are broken.  If
the NAT box worked as a real NAT box (instead of trying to do
something 'special') than NAT-T would work fine.  If these boxes were
full RSIP, then they would work fine, too.  Clearly these boxes are
broken in more ways than one.

Should we really be spending our time trying to get protocols to work
with all of these broken boxes?  If so, then what if jane random
company comes up with yet another broken way of doing things -- should
we bend over backwards to support her, too?  When does this maddness
end?

> So the client cannot just choose to use IPsec pass-thru or NAT-T. If you
> have one of these IPsec pass-thru routers, you have problem with NAT-T.

No, the client should rip IPsec pass-thru boxes out of the network and
throw them in the garbage, where they belong.

The easy alternative is to move IKE + NAT-T to a second UDP port.

> Regards,
> Jayant

-derek

PS: Can I repeat my mantra?  NAT is the spawn of the devil and should
be eradicated from the face of the planet.  If necessary, we should
nuke it from orbit -- it's the only way to be sure!

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: NAT Traversal
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- RE: NAT Traversal
  - From: "Jayant Shukla" <jshukla@trlokom.com>

Prev by Date: RE: NAT Traversal
Next by Date: Re: Length of pre-shared key
Prev by thread: RE: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread