Date: Thu, 15 Mar 2001 01:39:55 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Robert Clark <res03db2@gte.net> Cc: Ted Mittelstaedt <tedm@toybox.placo.com>, Bob Van Valzah <Bob@Talarian.Com>, pW <packetwhore@stargate.net>, FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel Message-ID: <20010315013955.A28471@rfx-216-196-73-168.users.reflex> In-Reply-To: <20010313104927.A59404@darkstar.gte.net>; from res03db2@gte.net on Tue, Mar 13, 2001 at 10:49:27AM -0800 References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> <20010313104927.A59404@darkstar.gte.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 13, 2001 at 10:49:27AM -0800, Robert Clark wrote: > > > Ted, do you know of any online guidelines to wrting protocols > that function well with NAT? > > > Or maybe a list of protocols that don't work well with NAT? One of the problems with NAT is that there are no standards. It supports whatever the NAT software vendor felt like supporting. In general, to be safe, the list of protocols that do not work well with NAT are, 1) Any protocol that is not TCP. Except you usually can get by with UDP, but watch for timeouts that can vary from seconds to hours. ICMP? Some might work, some might not, again, depends on the vendor. IPsec? Well, NAT completely breaks AH, but the code to NAT IPsec is completely trivial which does not imply that a lot of vendors do. Of course, NAT may or may not cause your IKE negotiations to fail... depending on the NAT implementation _and_ the IPsec implementation. Any other protocol? Maybe GRE, but good luck with anything else. Madness I tell you, madness. As RFC1631 says (an exact quote), The negative characteristics [of NAT] are: . . . 5. Problems with SNMP, DNS, ... you name it. ^^^^^^^^^^^ Damn straight; we've know all of this from the e begining. And on top of this, whatever you are running at the application layer might not like NAT either. Some minor protocols like, oh, FTP, need to have data changed at the application layer to function. The NAT software effectively has to act as an application proxy. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010315013955.A28471>