Re: Racoon Problem & Cisco Tunnel

From: Nate Williams (nate@yogotech.com)
Date: 03/15/01


From: Nate Williams <nate@yogotech.com>
Date: Thu, 15 Mar 2001 12:08:03 -0700 (MST)
To: Robert Clark <res03db2@gte.net>


> Ted, do you know of any online guidelines to wrting protocols
> that function well with NAT?

Here's some:

1) Single TCP socket (UDP requires special NAT code to work correctly).
2) The client must initiate the connection
3) The client's local port must *NOT* be fixed.
4) The server's remote port must be fixed
5) All port/address information must be contained within the packet
   headers (no information must be passed in the contents of the
   packets).

If your protocol follows the above guidelines, it should work fine under
NAT.

Nate

ps. Did I miss anything obvious?

> Or maybe a list of protocols that don't work well with NAT?

Any protocol that doesn't follow the above convention. DNS (which uses
UDP) is an 'exception' in that most NAT implementation contain special
code to deal with it.

> On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote:
> > >-----Original Message-----
> > >From: owner-freebsd-questions@FreeBSD.ORG
> > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
> > >Sent: Monday, March 12, 2001 8:07 AM
> > >To: pW
> > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
> > >Subject: Re: Racoon Problem & Cisco Tunnel
> > >
> > >
> > >Yes. The five DSL setups with which I'm familiar all grant at least one
> > >public address per house. I believe all are static, but one might be
> > >dynamic. Interference with protocols like IPSec is one of the reasons
> > >why I'd make a public address a requirement when choising a DSL
> > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
> > >possible. Let's hasten the deployment of IPv6.
> > >
> >
>
> -snip-
>
> >
> > NAT has proven itself reliable and vital and idiot engineers that design TCP
> > protocols that assume everyone has a public IP number are just architecting
> > their own failures, and their protocol's subsequent minimizing by the
> > market. I have some sympathy for protocols like IPSec that came to be
> > during the same time - but organizational-to-organizational IPSec tunnels
> > don't have to pass through the NAT - they can terminate on it. But, anyone
> > doing a new protocol today is a fool if it can't work though a NAT.
> >
> >
> >
> > Ted Mittelstaedt tedm@toybox.placo.com
> > Author of: The FreeBSD Corporate Networker's Guide
> > Book website: http://www.freebsd-corp-net-guide.com
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message