Re: NAT and IPSEC INCOMPATIBLE???
Derek Atkins <warlord@MIT.EDU> Fri, 11 June 1999 00:57 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id RAA15192; Thu, 10 Jun 1999 17:57:16 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id SAA01404 Thu, 10 Jun 1999 18:56:41 -0400 (EDT)
To: Pyda Srisuresh <suresh@livingston.com>
Cc: Krzysztof_Pakulski-LKP014@email.mot.com, Pat.Calhoun@Eng.Sun.Com, danmcd@Eng.Sun.Com, johnbr@elastic.com, ipsec@lists.tislabs.com
Subject: Re: NAT and IPSEC INCOMPATIBLE???
References: <199906102255.PAA02566@kc.livingston.com>
From: Derek Atkins <warlord@MIT.EDU>
Date: Thu, 10 Jun 1999 19:05:38 -0400
In-Reply-To: Pyda Srisuresh's message of Thu, 10 Jun 1999 15:55:02 -0700 (PDT)
Message-Id: <sjmemjjvepp.fsf@rcn.ihtfp.org>
Lines: 156
X-Mailer: Gnus v5.3/Emacs 19.34
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Which works fine provided you don't have multiple machines sitting behind the NAT gateway that all want to use that service. As I said, I know (and use) protocols where my (client) machine needs to be contacted on a standard port by a server. These protocols just fail under NAT. -derek Pyda Srisuresh <suresh@livingston.com> writes: > > > Let me try to respond. I will assume, you are refering to a specific > flavor of NAT, called Network Address Port Translator (NAPT). > > NAT is session-based and does not operate on a per-packet basis. > I.e., once a session is permitted by NAT in a certain direction, > packets flowing in either direction will undergo translation. > So, I will further assume, you are refering to a new inbound > session directed to a well-known TCP/UDP port on the NAPT device. > > Now, when a new session is initiated to port X on the NAPT device, > the session will be directed, by default, to the NAPT. > However, as Mr. Krzysztof pointed, it is possible to set up a > static policy to redirect the session to a different host within > the address realm supported by NAT. For example, if the NAT device > does not have FAX service available on the box, it may be redirected > to a host that does have it. > > cheers, > suresh > > > > > Let me repeat my question: If a packet comes in on port X on the NAT > > gateway, how do you know whether the packet really goes to port X on > > host Y or port X on host Z? Remember, this is a protocol with a known > > port (port X)... It ALWAYS sits on port X. So, how do you address > > "port X on host Y" when "host Y" is behind a NAT gateway? > > > > -derek > > > > Pakulski Krzysztof-LKP014 <Krzysztof_Pakulski-LKP014@email.mot.com> writes: > > > > > > > > I believe that one of the possibilities to make static binding. > > > > > > If something comes to port X on NAT gateway, it is forwarded to port Y on > > > host Z, if policy allowes that. > > > > > > Krzysztof > > > > ---------- > > > > From: Derek Atkins[SMTP:warlord@MIT.EDU] > > > > Sent: Thursday, June 10, 1999 3:45 PM > > > > To: pcalhoun@eng.sun.com > > > > Cc: Pyda Srisuresh; danmcd@Eng.Sun.Com; johnbr@elastic.com; > > > > ipsec@lists.tislabs.com > > > > Subject: Re: NAT and IPSEC INCOMPATIBLE??? > > > > > > > > How can you do port address translation on known incoming ports? For > > > > example, what do I do if I need to get to port X on your host, which > > > > is sitting behind a NAT firewall? Obviously I don't know you're > > > > sitting behind a NAT gateway; how is the NAT gateway supposed to know > > > > that a packet coming to port X is destined for host Y or host Z, both > > > > of whom may be using these NAT-unfriendly protocols? > > > > > > > > And no, an answer of "don't use NAT-unfriendly protocols" is not a > > > > valid answer, as many of these protocols were developed years (or > > > > decades) before NAT. > > > > > > > > -derek > > > > > > > > "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com> writes: > > > > > > > > > > > > > > agreed, but my comment was directed to the use of NAT in hotels. It was > > > > not > > > > > inteded to be IPSec specific. I had *assumed* that they were doing port > > > > > translation (to conserve addresses). > > > > > > > > > > > > > > > PatC > > > > > > > > > > > > Pat, > > > > > > > > > > > > The accessability provided by NAPT (Network Address Port Translator) > > > > > > is not any less than the accessibility provided by a host with a > > > > > > single address. > > > > > > > > > > > > Further, Bidirectional-NAT does not preclude inbound connections. > > > > > > It simply does address multiplexing - optimal use of limited > > > > > > addresses available. > > > > > > > > > > > > I suggest you take a look at <draft-ietf-nat-terminology-03.txt> > > > > > > prior to spreading misinformation. > > > > > > > > > > > > cheers, > > > > > > suresh > > > > > > > > > > > > > > > > > > > > And just to make matters worse, I could not have anyone connect > > > > directly to me > > > > > > > thanks to NAT (i.e. ftp, SIP, etc). > > > > > > > > > > > > > > PatC > > > > > > > > > > > > > > > > > By the way, there are certain markets where NAT is a > > > > requirement (such as > > > > > > > > > > running IP to the guest rooms in hotels) > > > > > > > > > > > > > > > > Until the hotels get more customers like Pat, who say that... > > > > > > > > > > > > > > > > > hmm... so I HAVE to trust my hotel? What kind of customers are > > > > they looking > > > > > > > > > for? If they are looking for the commuter, then NAT is a bad > > > > thing since I > > > > > > > > > will want to encrypt my data back to my corporate network. > > > > > > > > > > > > > > > > And by then they'll be looking for another alternative. > > > > > > > > > > > > > > > > > > and IPSec is also extremely high profile. It would help > > > > everyone out if > > > > > > > > > > there was a built-in method to scale arbitarily > > > > > > > > > > large for address translated IPSec connections - just with > > > > ESP, I don't > > > > > > > > > > think that AH is as important to these users. > > > > > > > > > > > > > > > > And that alternative is IPv6. ESP works just fine over that. > > > > > > > > > > > > > > > > Dan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > > > > Member, MIT Student Information Processing Board (SIPB) > > > > URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH > > > > warlord@MIT.EDU PGP key available > > > > > > > > -- > > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > > Member, MIT Student Information Processing Board (SIPB) > > URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH > > warlord@MIT.EDU PGP key available > > > -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH warlord@MIT.EDU PGP key available
- NAT and IPSEC INCOMPATIBLE??? John Hawkins
- Re: NAT and IPSEC INCOMPATIBLE??? Bill Sommerfeld
- Re: NAT and IPSEC INCOMPATIBLE??? Makoto Kubota
- Re: NAT and IPSEC INCOMPATIBLE??? Umesh Muniyappa
- Re: NAT and IPSEC INCOMPATIBLE??? Pyda Srisuresh
- Re: NAT and IPSEC INCOMPATIBLE??? Pyda Srisuresh
- Re: NAT and IPSEC INCOMPATIBLE??? Tim Lyons
- RE: NAT and IPSEC INCOMPATIBLE??? Brothers, John
- RE: NAT and IPSEC INCOMPATIBLE??? pcalhoun@eng.sun.com
- RE: NAT and IPSEC INCOMPATIBLE??? Stephane Beaulieu
- RE: NAT and IPSEC INCOMPATIBLE??? Gabriel Montenegro
- Re: NAT and IPSEC INCOMPATIBLE??? pcalhoun@eng.sun.com
- Re: NAT and IPSEC INCOMPATIBLE??? Dan McDonald
- Re: NAT and IPSEC INCOMPATIBLE??? tcosenza
- Re: NAT and IPSEC INCOMPATIBLE??? Pyda Srisuresh
- Re: NAT and IPSEC INCOMPATIBLE??? pcalhoun@eng.sun.com
- Re: NAT and IPSEC INCOMPATIBLE??? Derek Atkins
- RE: NAT and IPSEC INCOMPATIBLE??? pcalhoun@eng.sun.com
- Re: NAT and IPSEC INCOMPATIBLE??? Derek Atkins
- Re: NAT and IPSEC INCOMPATIBLE??? pcalhoun@eng.sun.com
- Re: NAT and IPSEC INCOMPATIBLE??? Pyda Srisuresh
- Re: NAT and IPSEC INCOMPATIBLE??? Hilarie Orman
- Re: NAT and IPSEC INCOMPATIBLE??? Derek Atkins
- Re: NAT and IPSEC INCOMPATIBLE??? Pyda Srisuresh
- RE: NAT and IPSEC INCOMPATIBLE??? Brothers, John
- RE: NAT and IPSEC INCOMPATIBLE??? Pakulski Krzysztof-LKP014
- RE: NAT and IPSEC INCOMPATIBLE??? CTrobridge
- Re: NAT and IPSEC INCOMPATIBLE??? Michael C. Richardson