IETF Logo Mail Archive

Re: NAT and IPSEC INCOMPATIBLE???

Derek Atkins <warlord@MIT.EDU> Thu, 10 June 1999 21:44 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id OAA13100; Thu, 10 Jun 1999 14:44:42 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id PAA00585 Thu, 10 Jun 1999 15:49:58 -0400 (EDT)
To: "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com>
Cc: Pyda Srisuresh <suresh@livingston.com>, danmcd@Eng.Sun.Com, johnbr@elastic.com, ipsec@lists.tislabs.com
Subject: Re: NAT and IPSEC INCOMPATIBLE???
References: <Roam.SIMC.2.0.6.929041903.28204.pcalhoun@hsmpka>
From: Derek Atkins <warlord@MIT.EDU>
Date: Thu, 10 Jun 1999 15:45:25 -0400
In-Reply-To: "pcalhoun@eng.sun.com"'s message of Thu, 10 Jun 1999 12:11:43 -0700 (PDT)
Message-Id: <sjmk8tbvnze.fsf@rcn.ihtfp.org>
Lines: 76
X-Mailer: Gnus v5.3/Emacs 19.34
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

How can you do port address translation on known incoming ports?  For
example, what do I do if I need to get to port X on your host, which
is sitting behind a NAT firewall?  Obviously I don't know you're
sitting behind a NAT gateway; how is the NAT gateway supposed to know
that a packet coming to port X is destined for host Y or host Z, both
of whom may be using these NAT-unfriendly protocols?

And no, an answer of "don't use NAT-unfriendly protocols" is not a
valid answer, as many of these protocols were developed years (or
decades) before NAT.

-derek

"pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com> writes:

> 
> agreed, but my comment was directed to the use of NAT in hotels. It was not
> inteded to be IPSec specific. I had *assumed* that they were doing port
> translation (to conserve addresses).
> 
> 
> PatC
> > 
> > Pat,
> > 
> > The accessability provided by NAPT (Network Address Port Translator)
> > is not any less than the accessibility provided by a host with a 
> > single address. 
> > 
> > Further, Bidirectional-NAT does not preclude inbound connections.
> > It simply does address multiplexing - optimal use of limited
> > addresses available.
> > 
> > I suggest you take a look at <draft-ietf-nat-terminology-03.txt>
> > prior to spreading misinformation. 
> > 
> > cheers,
> > suresh
> > 
> > > 
> > > And just to make matters worse, I could not have anyone connect directly to me
> > > thanks to NAT (i.e. ftp, SIP, etc).
> > > 
> > > PatC
> > > 
> > > > > > By the way, there are certain markets where NAT is a requirement (such as
> > > > > > running IP to the guest rooms in hotels)
> > > > 
> > > > Until the hotels get more customers like Pat, who say that...
> > > > 
> > > > > hmm... so I HAVE to trust my hotel? What kind of customers are they looking
> > > > > for? If they are looking for the commuter, then NAT is a bad thing since I
> > > > > will want to encrypt my data back to my corporate network.
> > > > 
> > > > And by then they'll be looking for another alternative.
> > > > 
> > > > > > and IPSec is also extremely high profile.   It would help everyone out if
> > > > > > there was a built-in method to scale arbitarily
> > > > > > large for address translated IPSec connections - just with ESP, I don't
> > > > > > think that AH is as important to these users.
> > > > 
> > > > And that alternative is IPv6.  ESP works just fine over that.
> > > > 
> > > > Dan
> > > 
> > > 
> > > 
> > 
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/      PP-ASEL      N1NWH
       warlord@MIT.EDU                        PGP key available

v2.23.0 | Report a Bug | By Email