[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Towards closure on NAT traversal.

To: "'Melinda Shore'" <mshore@cisco.com>, "'Greg Bailey'" <greg@minerva.com>, "'Sandy Harris'" <sandy@storm.ca>, <ipsec@lists.tislabs.com>
Subject: RE: Towards closure on NAT traversal.
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Sun, 3 Mar 2002 22:32:59 -0800
Cc: "'ark-gvb-x'" <ark-gvb-x@minerva.com>
Importance: Normal
In-Reply-To: <5.1.0.14.0.20020303091153.00aa2a60@localhost>
Sender: owner-ipsec@lists.tislabs.com



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Melinda Shore
> Sent: Sunday, March 03, 2002 6:20 AM
> To: Greg Bailey; Sandy Harris; ipsec@lists.tislabs.com
> Cc: ark-gvb-x
> Subject: RE: Towards closure on NAT traversal.
> 
> At 09:56 PM 3/2/02 -0800, Greg Bailey wrote:
> >Not if the FTP server doesn't implement PASV (it is not required).
This
> >may seem to be niggling but if people are going to make fundamental
> >changes such as NAT which change the requirements for
interoperability
> >it would be nice to at least publish those requirements in an RFC.
> 
> That's been done.
> 

So you have the PASV ftp working, right? 

> You're actually talking about two different things:  network/
> transport-layer NAT traversal and application-layer NAT traversal.


This is new! I though we were just dealing with the NAT traversal
problem. Now you have split the NAT traversal problem into NAT traversal
at TCP/IP layer and NAT traversal at application layer. 

> We're working on application-layer NAT traversal by developing
> mechanisms that allow applications to "know" their NATted-to
> address, and I would argue that this is not really an IPSec NAT
> problem.  Requiring that boxes in the network know how application
> protocols work is bad mojo.
> 

hmm! NAT boxes already do that! That is how it all started. What's your
point? Are you suggesting that NAT boxes should not do what they are
doing?

> Constraining the problem at hand to just getting individual IPSec
flows
> across NATs will tend to work in favor of architectural cleanliness,
> will modularize the work so that it's doable (otherwise you're
> basically talking about rearchitecting IP), and will provide people
> who have to deal with applications with a tool they can use.
> 
> Melinda

So now all FTP servers will have to be NAT aware, right? Try selling
that to your customers. That is in addition to the modifications to
IPsec, IKE, and NAT required by your solution.

Regards,
Jayant

Follow-Ups:
- RE: Towards closure on NAT traversal.
  - From: Melinda Shore <mshore@cisco.com>

References:
- RE: Towards closure on NAT traversal.
  - From: Melinda Shore <mshore@cisco.com>

Prev by Date: Re: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: RE: Towards closure on NAT traversal.
Next by thread: RE: Towards closure on NAT traversal.
Index(es):
- Date
- Thread