[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Towards closure on NAT traversal.

To: "Jayant Shukla" <jshukla@trlokom.com>, <ipsec@lists.tislabs.com>
Subject: RE: Towards closure on NAT traversal.
From: Melinda Shore <mshore@cisco.com>
Date: Mon, 04 Mar 2002 09:44:39 -0500
Cc: "'ark-gvb-x'" <ark-gvb-x@minerva.com>
In-Reply-To: <000001c1c346$6e32baf0$0100a8c0@trlhpc1>
References: <5.1.0.14.0.20020303091153.00aa2a60@localhost>
Sender: owner-ipsec@lists.tislabs.com

At 10:32 PM 3/3/02 -0800, Jayant Shukla wrote:
>> You're actually talking about two different things:  network/
>> transport-layer NAT traversal and application-layer NAT traversal.
>
>This is new! 

It's not, actually - it's been going on for several years within
the IETF and longer than that outside of the IETF

>I though we were just dealing with the NAT traversal
>problem. Now you have split the NAT traversal problem into NAT traversal
>at TCP/IP layer and NAT traversal at application layer.

You're dealing, I believe, with getting IPSec across NATs.  If
you expand the problem without separating it into its component
parts you run the very real risk of 1) completely re-engineering
IP, and 2) failing to respect layer boundaries.  I'm not particularly
dogmatic about the latter, although I've found that egregious layer
violations tend to lead to routing problems/complexity, as routing
tables and routing updates need to be shoved from one layer to another.  

>hmm! NAT boxes already do that! That is how it all started. What's your
>point? Are you suggesting that NAT boxes should not do what they are
>doing?

Yes, partially.  NATs and IP are fundamentally incompatible, and
with session-oriented protocols and with servers behind NATs either the
NAT need to know about the application or the application needs to know
about the NAT.  The problem with putting application awareness into
NATs is that it has terrible scaling characteristics, it deals with
some situations very badly (if at all - for example, multiple instances
of the same service behind a single NAT), and it isn't particularly
responsive to the deployment of new protocols or new versions of old
protocols.

If you're arguing that NAT traversal problems need to be solved, well sure,
I agree - I chair midcom and am working on additional approaches to the
problem.  If you're arguing that the IPSec working group should figure out 
how to get non-PASV FTP across NATs, that's just silly.

Melinda

Follow-Ups:
- RE: Towards closure on NAT traversal.
  - From: "Jayant Shukla" <jshukla@trlokom.com>

References:
- RE: Towards closure on NAT traversal.
  - From: Melinda Shore <mshore@cisco.com>
- RE: Towards closure on NAT traversal.
  - From: "Jayant Shukla" <jshukla@trlokom.com>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ikev2-01.txt
Next by Date: RE: NAT Traversal
Prev by thread: RE: Towards closure on NAT traversal.
Next by thread: RE: Towards closure on NAT traversal.
Index(es):
- Date
- Thread