Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 15 Mar 2001 01:39:55 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        Robert Clark <res03db2@gte.net>
Cc:        Ted Mittelstaedt <tedm@toybox.placo.com>, Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>, FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG
Subject:   Re: Racoon Problem & Cisco Tunnel
Message-ID:  <20010315013955.A28471@rfx-216-196-73-168.users.reflex>
In-Reply-To: <20010313104927.A59404@darkstar.gte.net>; from res03db2@gte.net on Tue, Mar 13, 2001 at 10:49:27AM -0800
References:  <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> <20010313104927.A59404@darkstar.gte.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Mar 13, 2001 at 10:49:27AM -0800, Robert Clark wrote:
> 
> 
> Ted, do you know of any online guidelines to wrting protocols
> that function well with NAT?
> 
> 
> Or maybe a list of protocols that don't work well with NAT?

One of the problems with NAT is that there are no standards. It
supports whatever the NAT software vendor felt like supporting. In
general, to be safe, the list of protocols that do not work well with
NAT are,

  1) Any protocol that is not TCP.

Except you usually can get by with UDP, but watch for timeouts that
can vary from seconds to hours. ICMP? Some might work, some might
not, again, depends on the vendor. IPsec? Well, NAT completely breaks
AH, but the code to NAT IPsec is completely trivial which does not
imply that a lot of vendors do. Of course, NAT may or may not cause
your IKE negotiations to fail... depending on the NAT implementation
_and_ the IPsec implementation. Any other protocol? Maybe GRE, but
good luck with anything else.

Madness I tell you, madness. As RFC1631 says (an exact quote),

  The negative characteristics [of NAT] are:
  .
  . 
  .
  5. Problems with SNMP, DNS, ... you name it. 
                                  ^^^^^^^^^^^
Damn straight; we've know all of this from the e begining.

And on top of this, whatever you are running at the application layer
might not like NAT either. Some minor protocols like, oh, FTP, need to
have data changed at the application layer to function. The NAT
software effectively has to act as an application proxy.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315013955.A28471>