ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt]

2008-02-14 14:04:51
from [Michael Tuexen] [Permanent Link] 
Dear all,

just a comment inline.

Best regards
Michael

On Feb 14, 2008, at 4:09 PM, Rémi Denis-Courmont wrote:

Le Thursday 14 February 2008 16:51:21 ext Iljitsch van Beijnum, vous  
avez
écrit :

also 6to4 does not work through many NATs.


The reason that as a rule, you can't do 6to4 through NAT is because
you don't know your 6to4 prefix if you don't know your real IPv4
address. Whether the packets make it through is a different question.


No no no. You can find your external IPv4 address using STUN, Teredo,
whatismyip.com, you-name-it, and infer the 6to4 prefix from that.  
You may
further assume that no other host is using proto-41 within the same  
NAT.

It still will not work. IPsec pass-through lets you receive traffic  
from the
IPsec gateway you sent ESP packets to. But for 6to4 to work, you  
need to
receive proto-41 packets from ANY remove peer, owing to the asymmetric
routing. I did try for real.

(...)

Or, when designing new protocols, the checksum is calculated in  
such a
way that address translation isn't a problem. Or the implementation
discovers the outer IPv4 address and adjusts its checksum calculation
accordingly. This doesn't make all non-TCP/UDP protocols impossible.


Indeed, but all new "real transport" protocols do re-use the "pseudo- 
IP
header" in their checksum computation to date, and I have seen no  
proposal to
change this so far.

SCTP does NOT use a pseudo IP header for its checksum calculation.



Also, even then, you're still going to shoot yourself in the foot if  
multiple
hosts try to use the same protocol to the same remote node (which is  
in fact
quite likely), unless the NAT knows how to mangle port numbers for the
specific protocol.


So as was already mentioned, one could
argue the waist hourglass is HTTP and HTTP/SSL, and this  
discussion is
irrelevant.


Many NATs and firewalls block incoming TCP sessions or unexpected UDP
packets. So if we use the logic "only stuff that works on 100% of all
hosts connected to the internet is relevant" then EVERYTHING is
irrelevant.


Agreed. It's just a matter of how many nines you want/need to have.  
I bet only
HTTP can get one single nine by the way :( i.e. >90%.

-- 
Rémi Denis-Courmont
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
http://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], Florian Weimer
Next by Date:  Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], Hannes Tschofenig
Previous by Thread:  Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], Rémi Denis-Courmont
Next by Thread:  Re: I-D Action:draft-rosenberg-internet-waist-hourglass-00.txt], Ned Freed
Indexes:  [Date] [Thread] [Top] [All Lists]