Re: Racoon Problem & Cisco Tunnel

From: Nate Williams (nate@yogotech.com)
Date: 03/15/01


From: Nate Williams <nate@yogotech.com>
Date: Thu, 15 Mar 2001 12:08:03 -0700 (MST)
To: Robert Clark <res03db2@gte.net>


> Ted, do you know of any online guidelines to wrting protocols
> that function well with NAT?

Here's some:

1) Single TCP socket (UDP requires special NAT code to work correctly).
2) The client must initiate the connection
3) The client's local port must *NOT* be fixed.
4) The server's remote port must be fixed
5) All port/address information must be contained within the packet
   headers (no information must be passed in the contents of the
   packets).

If your protocol follows the above guidelines, it should work fine under
NAT.

Nate

ps. Did I miss anything obvious?

> Or maybe a list of protocols that don't work well with NAT?

Any protocol that doesn't follow the above convention. DNS (which uses
UDP) is an 'exception' in that most NAT implementation contain special
code to deal with it.

> On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote:
> > >-----Original Message-----
> > >From: owner-freebsd-questions@FreeBSD.ORG
> > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
> > >Sent: Monday, March 12, 2001 8:07 AM
> > >To: pW
> > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
> > >Subject: Re: Racoon Problem & Cisco Tunnel
> > >
> > >
> > >Yes. The five DSL setups with which I'm familiar all grant at least one
> > >public address per house. I believe all are static, but one might be
> > >dynamic. Interference with protocols like IPSec is one of the reasons
> > >why I'd make a public address a requirement when choising a DSL
> > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
> > >possible. Let's hasten the deployment of IPv6.
> > >
> >
>
> -snip-
>
> >
> > NAT has proven itself reliable and vital and idiot engineers that design TCP
> > protocols that assume everyone has a public IP number are just architecting
> > their own failures, and their protocol's subsequent minimizing by the
> > market. I have some sympathy for protocols like IPSec that came to be
> > during the same time - but organizational-to-organizational IPSec tunnels
> > don't have to pass through the NAT - they can terminate on it. But, anyone
> > doing a new protocol today is a fool if it can't work though a NAT.
> >
> >
> >
> > Ted Mittelstaedt tedm@toybox.placo.com
> > Author of: The FreeBSD Corporate Networker's Guide
> > Book website: http://www.freebsd-corp-net-guide.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • RE: Racoon Problem & Cisco Tunnel
    ... T. Hain, "Architectural Implications of NAT", Internet Draft,July 1998. ... Matt Holdrege, Pyda Srisuresh, "IP Network Address Translator ... Protocol Issues", Internet Draft, August 1998. ... >Or maybe a list of protocols that don't work well with NAT? ...
    (FreeBSD-Security)
  • RE: Racoon Problem & Cisco Tunnel
    ... Interference with protocols like IPSec is one of the reasons ... When it comes to NAT, I'm with Vint Cerf--avoid it if at all ... Let's hasten the deployment of IPv6. ... large network from IPv4 to IPv6 had Vint Cerf's money. ...
    (FreeBSD-Security)
  • Re: How to find NATed address
    ... >to use those protocols are more likely to be looking at getting public ... solution to the problems that NAT introduces, ... response from company Splortsoft who tells me that their ... to defeat local firewall policy - after all, ...
    (comp.security.firewalls)
  • Re: Racoon Problem & Cisco Tunnel
    ... Or maybe a list of protocols that don't work well with NAT? ... The five DSL setups with which I'm familiar all grant at least one ... I have some sympathy for protocols like IPSec that came to be ...
    (FreeBSD-Security)
  • Re: servers address in ntp payload?
    ... > The hosts requirements RFC could have said that the responses MUST ... That would have meant that *no* UDP ... I don't know why you think I have issues with protocols and API. ... > the destination address was thought unnecessary. ...
    (comp.protocols.time.ntp)