North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [arin-announce] IPv4 Address Space (fwd)

  • From: Owen DeLong
  • Date: Wed Oct 29 12:16:52 2003

No. IPSEC and SIP break because their payloads include information that
is dependent on the IP address header. In the case of IPSEC, this is
to support end-to-end authentication and avoid certain kinds of man-in-
the-middle attacks. In the case of SIP, it's because SIP is a call setup
protocol which facilitates the creation of an RTP session. It's much the
same problem as FTP. The reason FTP doesn't BORK is because most NAT
gateways understand about the need to proxy FTP and because PASSIVE mode
FTP doesn't have the same call-setup problems.

In the case of IPSEC, there is an IPSEC standard for NAT traversal. It
allows for a slight compromise in the end-to-end security while still
preserving most of the capabilities of IPSEC.

UDP works just fine through NAT, as evidenced by DNS and other protocols
that aren't inherently broken with NAT. (Of course, DNS could suffer from
the same effects as SIP on some levels since the contents of the DNS
A record answers may be dependent on an un-natted world).

Owen


--On Wednesday, October 29, 2003 10:57 AM +0000 Dave Howe <[email protected]> wrote:

Avleen Vig wrote:
If "more IP addresses" is the only motivation for using IPv6, it's
really not enough. For environments where direct access to the
internet isn't required, NAT serves perfectly well.
IPSec, SIP/VoIP or almost anything that relies on UDP borks on NAT,
doesn't it?


--
If it wasn't signed, it probably didn't come from me.

Attachment: pgp00044.pgp
Description: PGP signature