From owner-freebsd-security Thu Mar 15 11: 9:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 786FC37B719; Thu, 15 Mar 2001 11:09:43 -0800 (PST) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA10308; Thu, 15 Mar 2001 12:08:04 -0700 (MST) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id MAA05639; Thu, 15 Mar 2001 12:08:03 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15025.4883.482820.502695@nomad.yogotech.com> Date: Thu, 15 Mar 2001 12:08:03 -0700 (MST) To: Robert Clark Cc: Ted Mittelstaedt , Bob Van Valzah , pW , FreeBSD-Security@FreeBSD.ORG, FreeBSD-Questions@FreeBSD.ORG Subject: Re: Racoon Problem & Cisco Tunnel In-Reply-To: <20010313104927.A59404@darkstar.gte.net> References: <3AACF40D.4080504@Talarian.Com> <000801c0ab8b$81d99ca0$1401a8c0@tedm.placo.com> <20010313104927.A59404@darkstar.gte.net> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Ted, do you know of any online guidelines to wrting protocols > that function well with NAT? Here's some: 1) Single TCP socket (UDP requires special NAT code to work correctly). 2) The client must initiate the connection 3) The client's local port must *NOT* be fixed. 4) The server's remote port must be fixed 5) All port/address information must be contained within the packet headers (no information must be passed in the contents of the packets). If your protocol follows the above guidelines, it should work fine under NAT. Nate ps. Did I miss anything obvious? > Or maybe a list of protocols that don't work well with NAT? Any protocol that doesn't follow the above convention. DNS (which uses UDP) is an 'exception' in that most NAT implementation contain special code to deal with it. > On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote: > > >-----Original Message----- > > >From: owner-freebsd-questions@FreeBSD.ORG > > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah > > >Sent: Monday, March 12, 2001 8:07 AM > > >To: pW > > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG > > >Subject: Re: Racoon Problem & Cisco Tunnel > > > > > > > > >Yes. The five DSL setups with which I'm familiar all grant at least one > > >public address per house. I believe all are static, but one might be > > >dynamic. Interference with protocols like IPSec is one of the reasons > > >why I'd make a public address a requirement when choising a DSL > > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all > > >possible. Let's hasten the deployment of IPv6. > > > > > > > -snip- > > > > > NAT has proven itself reliable and vital and idiot engineers that design TCP > > protocols that assume everyone has a public IP number are just architecting > > their own failures, and their protocol's subsequent minimizing by the > > market. I have some sympathy for protocols like IPSec that came to be > > during the same time - but organizational-to-organizational IPSec tunnels > > don't have to pass through the NAT - they can terminate on it. But, anyone > > doing a new protocol today is a fool if it can't work though a NAT. > > > > > > > > Ted Mittelstaedt tedm@toybox.placo.com > > Author of: The FreeBSD Corporate Networker's Guide > > Book website: http://www.freebsd-corp-net-guide.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message