From owner-freebsd-questions@FreeBSD.ORG Sun Aug 18 00:43:07 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E2EB48A6 for ; Sun, 18 Aug 2013 00:43:07 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-pb0-x22b.google.com (mail-pb0-x22b.google.com [IPv6:2607:f8b0:400e:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id B9D5524C2 for ; Sun, 18 Aug 2013 00:43:07 +0000 (UTC) Received: by mail-pb0-f43.google.com with SMTP id md4so3447465pbc.30 for ; Sat, 17 Aug 2013 17:43:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=W92O5HNnQN13OCZp9HhCbiv4pSDCrOajbdUzFfNchSc=; b=q7Wl/AZG3ndQst5KJermJmdB/ay15EVHmLyoj+gN3hGbazLJy8I/6YjfdOoSvEHqVQ ns2BSIAnGqZlubU+9gKRrGymQFKyC1tBhGY/lLuk+QONaNybDG0g4/K6HXXHyvbst7Z7 Awi+sgk6kpKwqVUJ718hH+a6LCTjJGqBr+yfUOZbw7Vhu4FVyYJiAS+It8l5zaAStCrS estcqIUVIImsps+Sgi1UJsg9tuSoMb66tokenl6ZRiSHJ3qkl+GehTpmx59V9O7VZxbc zMIiN5CYXvmL9RPM1m5fqyMR0hZSyPrTMHGHFkTkv5uAuh12VlT6cUyLWAKsPNytg/86 YStg== MIME-Version: 1.0 X-Received: by 10.66.144.161 with SMTP id sn1mr5399163pab.30.1376786587133; Sat, 17 Aug 2013 17:43:07 -0700 (PDT) Received: by 10.70.92.79 with HTTP; Sat, 17 Aug 2013 17:43:07 -0700 (PDT) In-Reply-To: <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net> References: <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> <520F53A2.80707@fjl.co.uk> <520F8AA8.8030407@fjl.co.uk> <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net> Date: Sat, 17 Aug 2013 19:43:07 -0500 Message-ID: Subject: Re: VPN where local private address collide From: Adam Vande More To: Terje Elde Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-questions@freebsd.org" , Frank Leonhardt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Aug 2013 00:43:07 -0000 On Sat, Aug 17, 2013 at 6:29 PM, Terje Elde wrote: > On 17. aug. 2013, at 16:37, Frank Leonhardt wrote: > > This is just the sort of problem Google will have when it buys Facebook > :-) > > Probably not. If Google were to buy Facebook, I'm confident they'd be able > to renumber their networks if they have to. > > > Your explanation of the foul-up possible with NAPT is well made, > although not really talking about the kind of NAT used on Home/SME routers > (one public address hiding many private one) - I'm thinking of Basic NAT - > one-to-one replacement, not one-to-many. (i.e. static address assignment). > All the router (or firewall) needs to do is swap the IP address in the > header as it passes through, and swap it back when it returns. The two > hosts shouldn't notice a thing. > > That's a good theory. In reality, it's much more complicated. > > What about SSL/TLS for example? How would the router swap the header in > an encrypted session? Same as it would any sessions since only the payload is encrypted. What Frank calls basic nat, most people call static nat(at least people who have read enough Cisco docs) and it works just fine. Also you are confusing headers. IP itself has a header and TCP and UDP each have their own. SIP/TLS works just fine on static nat. IPsec is different as it encrypts the port info but there is almost always something can be done about this at that level. > Swapping headers is also a bit outside the scope of NAT No, it's the entire point of NAT. How do you think the "Translation" occurs? Again you are confusing header levels. In general, NAT doesn't care about whatever info is in the payload, only layer 3 and usually layer 4 and in certain configs layer 5 are pertinent to NAT configs. -- Adam Vande More