[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: Paul Koning <pkoning@xxxxxxxxxxxxxx>
Subject: RE: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@xxxxxxxxx>
Date: Mon, 4 Mar 2002 15:16:51 -0800 (PST)
Cc: ipsec mailling list <ipsec@xxxxxxxxxxxxxxxxx>
In-reply-to: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

On Mon, 4 Mar 2002, Paul Koning wrote:

> >>>>> "Chinna" == Chinna N R Pellacuru <pcn@xxxxxxxxx> writes:
>
>  Chinna> I think that there seems to be a big problem with people who
>  Chinna> want to only casually look at this problem of NAT and
>  Chinna> IPsec. I think that these casual observers tend to assume
>  Chinna> that any and every possible scenario of NATs and IPsec will
>  Chinna> work with some solution. You'll have to first take the time
>  Chinna> to understand what is feasible, and what is not. Once you
>  Chinna> have come up with a set of scenarios in which it is feasible
>  Chinna> to solve this problem, then you have to pick a technique that
>  Chinna> will only work in those scenarios.
>
> I guess I'm confused about the process.
>
> It looked like you were proposing a solution, or at least components
> of one.  Several people started saying "but what about x?  What about
> y?"  That seems reasonable.

I am not saying that it is unreasonable to ask about x and y, but what I
am saying is that they should also fully specify x and y.

>
> Now, if you want to start with a problem statement, and from there
> derive a solution that addresses the scenarios in the problem
> statement, that sounds fine.  But it didn't look like you were doing
> that.
>

I think it is getting more and more clear where we started, and where we
are heading. In the beginning there was this push to solve every possible
scenario. Even a casual observer can shoot down all feasible solutions,
because some fairly obvious scenarios are very hard, if not impossible to
solve. Then AH was dropped altogether. Then, all mention of "built-in NAT"
is dropped.

If you followed some recent discussion, some (including me) are still
asking the basic question: what is a resonable solution supposed to solve?

-----------------------------------------------------------------------
Date: Sat, 2 Mar 2002 12:32:06 -0800 From: Greg Bailey <greg@xxxxxxxxxxx>
To: ipsec@xxxxxxxxxxxxxxxxx Cc: ark-gvb-x <ark-gvb-x@xxxxxxxxxxx> Subject:
RE: Towards closure on NAT traversal.

Yet there are some things that seem to me logically impossible in
the presence of a NAT.  Consider an ESP encrypted, or even just
authenticated, FTP control channel.  In order for the NAT to function
"transparently" it must assemble, parse, and alter the TCP stream
when necessary (PORT command).  How can this possibly work using
straight IP with IPSec unless the NAT cracks the keys et cetera?  Not
to mention that a NAT box with such capabilities would be an even
more powerful assault weapon than is a plain old NAT box...

I would submit FTP as a proof of existence of insoluble problems in
*transparently* traversing a NAT with IPSec.

Even adding Security Gateway code to a NAT, which in many respects
would seem the best form of "IPSec pass-through", would still leave
the problems caused by uncoordinated use of private address space
on the other side of the NAT in non VPN environments.

How long a list of exceptions can any "solution" to this charter
item tolerate and still deserve to be called a solution?

    Greg Bailey     |  ATHENA Programming, Inc  |  503-295-7703  |
  ----------------  |  310 SW 4th Ave  Ste 530  |  fax 295-6935  |
  greg@xxxxxxxxxxx  |  Portland, OR  97204  US  |
----------------------------------------------------------------------

> If your answer to each note questioning some case is to ECO the
> (unstated) problem statement to exclude the case being asked about,
> that's certainly one way to proceed, but I'm not sure it will yield a
> meaningful solution...
>

Agreed. I am just asking for those who are saying that something won't
work, to please spell out all the details of what is it that you are
saying will not work. I don't think that is an unreasonable thing to
expect. Once you fully specify the scenario in which you think our or
other solutions don't work, then we can first start by seeing if that
scenario itself is something that anyone is trying to accomidate, and if
so, how important is it to accomidate it. What are the various tradeoffs
for including or excluding that scenario, and which proposed solutions
will work, and which won't work.

    chinna

References:
- RE: NAT Traversal
  - From: Paul Koning

Prev by Date: Re: NAT Traversal
Next by Date: RE: NAT Traversal
Previous by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread