just a comment inline.
On Feb 14, 2008, at 4:09 PM, Rémi Denis-Courmont wrote:
Le Thursday 14 February 2008 16:51:21 ext Iljitsch van Beijnum, vous
also 6to4 does not work through many NATs.
The reason that as a rule, you can't do 6to4 through NAT is because
you don't know your 6to4 prefix if you don't know your real IPv4
address. Whether the packets make it through is a different question.
No no no. You can find your external IPv4 address using STUN, Teredo,
whatismyip.com, you-name-it, and infer the 6to4 prefix from that.
further assume that no other host is using proto-41 within the same
It still will not work. IPsec pass-through lets you receive traffic
IPsec gateway you sent ESP packets to. But for 6to4 to work, you
receive proto-41 packets from ANY remove peer, owing to the asymmetric
routing. I did try for real.
Or, when designing new protocols, the checksum is calculated in
way that address translation isn't a problem. Or the implementation
discovers the outer IPv4 address and adjusts its checksum calculation
accordingly. This doesn't make all non-TCP/UDP protocols impossible.
Indeed, but all new "real transport" protocols do re-use the "pseudo-
header" in their checksum computation to date, and I have seen no
change this so far.
SCTP does NOT use a pseudo IP header for its checksum calculation.
Also, even then, you're still going to shoot yourself in the foot if
hosts try to use the same protocol to the same remote node (which is
quite likely), unless the NAT knows how to mangle port numbers for the
So as was already mentioned, one could
argue the waist hourglass is HTTP and HTTP/SSL, and this
Many NATs and firewalls block incoming TCP sessions or unexpected UDP
packets. So if we use the logic "only stuff that works on 100% of all
hosts connected to the internet is relevant" then EVERYTHING is
Agreed. It's just a matter of how many nines you want/need to have.
I bet only
HTTP can get one single nine by the way :( i.e. >90%.
Ietf mailing list
Ietf mailing list