ietf
[Top] [All Lists]

Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt]

2008-02-14 08:10:04
Le Thursday 14 February 2008 16:51:21 ext Iljitsch van Beijnum, vous avez 
écrit :
also 6to4 does not work through many NATs.

The reason that as a rule, you can't do 6to4 through NAT is because
you don't know your 6to4 prefix if you don't know your real IPv4
address. Whether the packets make it through is a different question.

No no no. You can find your external IPv4 address using STUN, Teredo, 
whatismyip.com, you-name-it, and infer the 6to4 prefix from that. You may 
further assume that no other host is using proto-41 within the same NAT.

It still will not work. IPsec pass-through lets you receive traffic from the 
IPsec gateway you sent ESP packets to. But for 6to4 to work, you need to 
receive proto-41 packets from ANY remove peer, owing to the asymmetric 
routing. I did try for real.

(...)
Or, when designing new protocols, the checksum is calculated in such a
way that address translation isn't a problem. Or the implementation
discovers the outer IPv4 address and adjusts its checksum calculation
accordingly. This doesn't make all non-TCP/UDP protocols impossible.

Indeed, but all new "real transport" protocols do re-use the "pseudo-IP 
header" in their checksum computation to date, and I have seen no proposal to 
change this so far.

Also, even then, you're still going to shoot yourself in the foot if multiple 
hosts try to use the same protocol to the same remote node (which is in fact 
quite likely), unless the NAT knows how to mangle port numbers for the 
specific protocol.

So as was already mentioned, one could
argue the waist hourglass is HTTP and HTTP/SSL, and this discussion is
irrelevant.

Many NATs and firewalls block incoming TCP sessions or unexpected UDP
packets. So if we use the logic "only stuff that works on 100% of all
hosts connected to the internet is relevant" then EVERYTHING is
irrelevant.

Agreed. It's just a matter of how many nines you want/need to have. I bet only 
HTTP can get one single nine by the way :( i.e. >90%.

-- 
Rémi Denis-Courmont
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>