IETF Logo Mail Archive

Re: IESG position on NAT traversal and IPv4/IPv6

Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp> Wed, 17 November 2010 23:36 UTC

Return-Path: <mohta@necom830.hpcl.titech.ac.jp>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6CA93A69AB for <ietf@core3.amsl.com>; Wed, 17 Nov 2010 15:36:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.653
X-Spam-Level: *
X-Spam-Status: No, score=1.653 tagged_above=-999 required=5 tests=[AWL=-0.217, BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_BL_SPAMCOP_NET=1.96]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TKyMNtUxhAH for <ietf@core3.amsl.com>; Wed, 17 Nov 2010 15:36:46 -0800 (PST)
Received: from necom830.hpcl.titech.ac.jp (necom830.hpcl.titech.ac.jp [131.112.32.132]) by core3.amsl.com (Postfix) with SMTP id 1C7DE3A69B3 for <ietf@ietf.org>; Wed, 17 Nov 2010 15:36:45 -0800 (PST)
Received: (qmail 95731 invoked from network); 18 Nov 2010 00:11:19 -0000
Received: from softbank219001188004.bbtec.net (HELO ?192.168.1.21?) (219.1.188.4) by necom830.hpcl.titech.ac.jp with SMTP; 18 Nov 2010 00:11:19 -0000
Message-ID: <4CE466DC.3080807@necom830.hpcl.titech.ac.jp>
Date: Thu, 18 Nov 2010 08:35:56 +0900
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: mrex@sap.com
Subject: Re: IESG position on NAT traversal and IPv4/IPv6
References: <201011171741.oAHHfkAp014464@fs4113.wdf.sap.corp>
In-Reply-To: <201011171741.oAHHfkAp014464@fs4113.wdf.sap.corp>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
Cc: hallam@gmail.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2010 23:36:47 -0000

Martin Rex wrote:

>>> Correct.  It is called the HTTP CONNECT method.
>>
>> If, with your definition of "traversal", tunneling is a form
>> of traversal, tunneling by IPSEC is a standard firewall
>> traversal protocol and is much better than HTTP CONNECT
>> because of UDP.
> 
> Not quite.  Tunneling needs matching configurations on both ends,

Yes, of course.

> and that rarely works, in particular on a global scale with
> peers you do not know a-priori.

Where is the point to use firewalls or firewall functionality
of NAT to be tunneled by someone you do not know a-priori?

That's why I said:

: FYI, traversable firewall is, by definition, broken.

Or, if you are saying you and your peer are members of some
large organization, the organization can take care of
IPSEC peering configuration.

But, too often, it is a lot easier, a lot more convenient and
a lot more flexible to use ID/password at the application layer,
which is partly why IPSEC is not really deployed.

> Home DSL routers usually do NAT.  For outgoing connections,
> they're transparent.

Unlike end to end NAT, legacy NAT is not very transparent.

> For incoming connections, it is either
> possible to configure static mappings (external->internal)

If you want to run servers behind NAT, you need static IP
addresses and static port numbers, of course.

> or there might be some dynamic configurability through UPnP.
> UDP included.

It works only after a connection is established through
a static IP address and a port number.

					Masataka Ohta

v2.23.0 | Report a Bug | By Email