Re: Racoon Problem & Cisco Tunnel
From: Nate Williams (firstname.lastname@example.org)
- Next message: Nate Williams: "Re: Port 113"
- Previous message: Ronan Lucio: "Re: Port 113"
- In reply to: Robert Clark: "Re: Racoon Problem & Cisco Tunnel"
- Next in thread: Shoichi Sakane: "Re: Racoon Problem & Cisco Tunnel"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Nate Williams <email@example.com> Date: Thu, 15 Mar 2001 12:08:03 -0700 (MST) To: Robert Clark <firstname.lastname@example.org>
> Ted, do you know of any online guidelines to wrting protocols
> that function well with NAT?
1) Single TCP socket (UDP requires special NAT code to work correctly).
2) The client must initiate the connection
3) The client's local port must *NOT* be fixed.
4) The server's remote port must be fixed
5) All port/address information must be contained within the packet
headers (no information must be passed in the contents of the
If your protocol follows the above guidelines, it should work fine under
ps. Did I miss anything obvious?
> Or maybe a list of protocols that don't work well with NAT?
Any protocol that doesn't follow the above convention. DNS (which uses
UDP) is an 'exception' in that most NAT implementation contain special
code to deal with it.
> On Mon, Mar 12, 2001 at 11:02:03PM -0800, Ted Mittelstaedt wrote:
> > >-----Original Message-----
> > >From: owner-freebsd-questions@FreeBSD.ORG
> > >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Bob Van Valzah
> > >Sent: Monday, March 12, 2001 8:07 AM
> > >To: pW
> > >Cc: FreeBSD-Security@FreeBSD.ORG; FreeBSD-Questions@FreeBSD.ORG
> > >Subject: Re: Racoon Problem & Cisco Tunnel
> > >
> > >
> > >Yes. The five DSL setups with which I'm familiar all grant at least one
> > >public address per house. I believe all are static, but one might be
> > >dynamic. Interference with protocols like IPSec is one of the reasons
> > >why I'd make a public address a requirement when choising a DSL
> > >provider. When it comes to NAT, I'm with Vint Cerf--avoid it if at all
> > >possible. Let's hasten the deployment of IPv6.
> > >
> > NAT has proven itself reliable and vital and idiot engineers that design TCP
> > protocols that assume everyone has a public IP number are just architecting
> > their own failures, and their protocol's subsequent minimizing by the
> > market. I have some sympathy for protocols like IPSec that came to be
> > during the same time - but organizational-to-organizational IPSec tunnels
> > don't have to pass through the NAT - they can terminate on it. But, anyone
> > doing a new protocol today is a fool if it can't work though a NAT.
> > Ted Mittelstaedt email@example.com
> > Author of: The FreeBSD Corporate Networker's Guide
> > Book website: http://www.freebsd-corp-net-guide.com
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message