From: Steven M. Bellovin [mailto:smb(_at_)cs(_dot_)columbia(_dot_)edu]
More precisely, any protocol that uses secondary connections,
the parameters of which are carried in-band in a secured
connection, can't easily be NATted. The most obvious example
is FTP. 4217 notes that it only works through NAT if the
client is aware of the NAT's existence, and that there are
serious security issues even so.
This is a design choice in the protocol, one that I would see as a layering
violation. Application layer protocols should not be talking about IP addresses.
In IPSEC the issue is rather more architectural and it is not really possible
to do a work around without fundamentally changing the principles behind the
protocol.
IPSEC is a Network layer protocol so dealling in the IP addresses is not a
layer violation.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf