Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 17 Aug 2013 19:43:07 -0500
From:      Adam Vande More <amvandemore@gmail.com>
To:        Terje Elde <terje@elde.net>
Cc:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>, Frank Leonhardt <freebsd-doc@fjl.co.uk>
Subject:   Re: VPN where local private address collide
Message-ID:  <CA%2BtpaK1kG5BtKjO%2BFrSXwkgTJ_k5K7HxtL8vih7Mq%2Bb7r6KYWg@mail.gmail.com>
In-Reply-To: <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net>
References:  <520E5EC0.5090105@fjl.co.uk> <9FB6809B-DD5D-4A04-8BD9-0271FAC03181@elde.net> <520F53A2.80707@fjl.co.uk> <B86F8EA5-67BE-4791-8CAE-6E70BB326500@elde.net> <520F8AA8.8030407@fjl.co.uk> <1FF39756-0555-4CD8-95B7-862F9644CF78@elde.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 17, 2013 at 6:29 PM, Terje Elde <terje@elde.net> wrote:

> On 17. aug. 2013, at 16:37, Frank Leonhardt <freebsd-doc@fjl.co.uk> wrote:
> > This is just the sort of problem Google will have when it buys Facebook
> :-)
>
> Probably not. If Google were to buy Facebook, I'm confident they'd be able
> to renumber their networks if they have to.
>
> > Your explanation of the foul-up possible with NAPT is well made,
> although not really talking about the kind of NAT used on Home/SME routers
> (one public address hiding many private one) - I'm thinking of Basic NAT -
> one-to-one replacement, not one-to-many. (i.e. static address assignment).
> All the router (or firewall) needs to do is swap the IP address in the
> header as it passes through, and swap it back when it returns. The two
> hosts shouldn't notice a thing.
>
> That's a good theory. In reality, it's much more complicated.
>
> What about SSL/TLS for example?  How would the router swap the header in
> an encrypted session?


Same as it would any sessions since only the payload is encrypted.  What
Frank calls basic nat, most people call static nat(at least people who have
read enough Cisco docs) and it works just fine. Also you are confusing
headers.  IP itself has a header and TCP and UDP each have their own.
 SIP/TLS works just fine on static nat.   IPsec is different as it encrypts
the port info but there is almost always something can be done about this
at that level.

> Swapping headers is also a bit outside the scope of NAT

No, it's the entire point of NAT.  How do you think the "Translation"
occurs?  Again you are confusing header levels.  In general, NAT doesn't
care about whatever info is in the payload, only layer 3 and usually layer
4 and in certain configs layer 5 are pertinent to NAT configs.



-- 
Adam Vande More



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2BtpaK1kG5BtKjO%2BFrSXwkgTJ_k5K7HxtL8vih7Mq%2Bb7r6KYWg>