If one really believes in end to end architectures, then one probably would want generalized protocols for supporting hosts telling the network what to do wrt opening holes at NATs/Firewalls for inbound traffic. Doing this form of traversal mapping on a protocol by protocol basis (e.g. H.323 gateway, SIP proxies, etc.) does create an interesting market niche for the firewall vendors, but it is not clear this is the right model for the long term. Microsoft has recently addressed the NAT traversal issue for multimedia scenarios by shipping Messenger in Windows XP and it uses universal plug and play protocols (www.upnp.org) to open holes on upnp capable internet gateways. There are many vendors building upnp capable NATs in 2002. Even if the *AT* in NATs go away, the reason people buy them won't. There needs to be a way for applications and firewalls to coordinate - perhaps in the same way that highway designers and car designers usually agree on the basic design parameters of on/off ramps. Regards, peter -----Original Message----- From: Andrew McGregor [mailto:andrew@indranet.co.nz] Sent: Sunday, March 17, 2002 5:34 PM To: Joe Touch; Vivek Gupta Cc: ietf@ietf.org Subject: Re: Netmeeting - NAT issue Or, get a NAT which *does* connection-track H.323. They do exist, open-source and not, and work just fine. Better, get a proper H.323 gateway (which will work behind an H.323 aware NAT if done properly) so people can call in as well as out. However, NAT is still brokenness. (and so is H.323) Andrew --On Tuesday, March 12, 2002 15:17:35 -0800 Joe Touch <touch@ISI.EDU> wrote: > NAT doesn't support Netmeeting. It uses H.323 encoding, which uses IP > addresses and dynamically assigned ports in-band (inside the connection). > The NAT is translating the outer IP addresses, but because your NAT > doesn't understand H.323, it doesn't know it would have to also translate > the inner addresses and ports. Netmeeting expects that it can dynamically > select a port to use to connect back to your machine, but that defeats > what a NAT "thinks" the Internet looks like (notably because it's > incorrect). > > The best solution: get real IP addresses. It's cheaper than wasting your > time figuring out why things don't work. > > Joe > >