ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC

2007-02-28 19:36:10
from [Hallam-Baker, Phillip] [Permanent Link] 


From: Steven M. Bellovin [mailto:smb(_at_)cs(_dot_)columbia(_dot_)edu] 



More precisely, any protocol that uses secondary connections, 
the parameters of which are carried in-band in a secured 
connection, can't easily be NATted.  The most obvious example 
is FTP.  4217 notes that it only works through NAT if the 
client is aware of the NAT's existence, and that there are 
serious security issues even so.


This is a design choice in the protocol, one that I would see as a layering 
violation. Application layer protocols should not be talking about IP addresses.

In IPSEC the issue is rather more architectural and it is not really possible 
to do a work around without fundamentally changing the principles behind the 
protocol.

IPSEC is a Network layer protocol so dealling in the IP addresses is not a 
layer violation.

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC, Steven M. Bellovin
Next by Date:  Re: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC, Sam Hartman
Previous by Thread:  Re: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC, Sam Hartman
Next by Thread:  RE: Last Call: draft-ietf-v6ops-natpt-to-historic (Reasons to Move NAT-PT to Historic Status) to Informational RFC, Ted Hardie
Indexes:  [Date] [Thread] [Top] [All Lists]