RE: Towards closure on NAT traversal.

[Melinda Shore <mshore@cisco.com>]

At 09:56 PM 3/2/02 -0800, Greg Bailey wrote:
>Not if the FTP server doesn't implement PASV (it is not required).  This
>may seem to be niggling but if people are going to make fundamental
>changes such as NAT which change the requirements for interoperability
>it would be nice to at least publish those requirements in an RFC.

That's been done.

You're actually talking about two different things:  network/
transport-layer NAT traversal and application-layer NAT traversal.
We're working on application-layer NAT traversal by developing
mechanisms that allow applications to "know" their NATted-to
address, and I would argue that this is not really an IPSec NAT
problem.  Requiring that boxes in the network know how application
protocols work is bad mojo.

Constraining the problem at hand to just getting individual IPSec flows
across NATs will tend to work in favor of architectural cleanliness,
will modularize the work so that it's doable (otherwise you're
basically talking about rearchitecting IP), and will provide people
who have to deal with applications with a tool they can use.

Melinda