ietf
[Top] [All Lists]

RE: Netmeeting - NAT issue

2002-03-17 20:10:03


--On Sunday, March 17, 2002 18:51:48 -0800 Peter Ford <peterf(_at_)Exchange(_dot_)Microsoft(_dot_)com> wrote:

If one really believes in end to end architectures, then one probably
would want generalized protocols for supporting hosts telling the
network what to do wrt opening holes at NATs/Firewalls for inbound
traffic.  Doing this form of traversal mapping on a protocol by protocol
basis (e.g. H.323 gateway, SIP proxies, etc.) does create an interesting
market niche for the firewall vendors, but it is not clear this is the
right model for the long term.

I don't think it is; my suggestion below was merely practical.


Microsoft has recently addressed the NAT traversal issue for multimedia
scenarios by shipping Messenger in Windows XP and it uses universal plug
and play protocols (www.upnp.org) to open holes on upnp capable internet
gateways. There are many vendors building upnp capable NATs in 2002.

Nice.

Even if the *AT* in NATs go away, the reason people buy them won't.
There needs to be a way for applications and firewalls to coordinate -
perhaps in the same way that highway designers and car designers usually
agree on the basic design parameters of on/off ramps.

I agree; it's going to be hard to secure, but I guess that's what makes it interesting.


Regards, peter



-----Original Message-----
From: Andrew McGregor [mailto:andrew(_at_)indranet(_dot_)co(_dot_)nz]
Sent: Sunday, March 17, 2002 5:34 PM
To: Joe Touch; Vivek Gupta
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: Netmeeting - NAT issue

Or, get a NAT which *does* connection-track H.323.  They do exist,
open-source and not, and work just fine.

Better, get a proper H.323 gateway (which will work behind an H.323
aware
NAT if done properly) so people can call in as well as out.

However, NAT is still brokenness. (and so is H.323)

Andrew

--On Tuesday, March 12, 2002 15:17:35 -0800 Joe Touch <touch(_at_)ISI(_dot_)EDU>
wrote:

NAT doesn't support Netmeeting. It uses H.323 encoding, which uses IP
addresses and dynamically assigned ports in-band (inside the
connection).
The NAT is translating the outer IP addresses, but because your NAT
doesn't understand H.323, it doesn't know it would have to also
translate
the inner addresses and ports. Netmeeting expects that it can
dynamically
select a port to use to connect back to your machine, but that defeats
what a NAT "thinks" the Internet looks like (notably because it's
incorrect).

The best solution: get real IP addresses. It's cheaper than wasting
your
time figuring out why things don't work.

Joe









<Prev in Thread] Current Thread [Next in Thread>