[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Towards closure on NAT traversal.



Hallam-Baker, Phillip wrote:
> ...
> To take IPSEC to the next level we need to make IPSEC work well enough
> through a NAT that it can support SMTP client, HTTP client,
> POP3 client,
> IMAP client, NNTP client. We do not need to start addressing
> problems that
> have not been solved for NAT in general (and hacking up packets with
> protocol sensitive modifications is not a solution).
> ...
> If people stopped complaining about how anti-social NATs are
> and started
> working out how we could socialize them into more acceptable modes of
> behavior the degree of damage caused could be rendered tollerable.

Note the problem set you listed above is limited to 'clients'. Since one
endpoint in all those applications requires a 'server', and it appears
that the set is limited to your particular view of the problem space,
there will be complaints that NAT behavior is anti-social. The other
point this simple statement misses are that not all NATs are created
equal. A simple solution to the problem for one variant is unlikely to
work for all. Rather than waste time trying to figure out the possible
modes, look at
http://search.ietf.org/internet-drafts/draft-ietf-ngtrans-shipworm-05.tx
t. Then, rather than waste time trying to solve the problem in a
specific way for IPsec, just reference it as the way to get past IPv4
NATs and use IPv6 as the end-to-end protocol.

Tony