RE: Stupid NAT tricks and how to stop them.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 11:23 AM -0700 4/5/06, Michel Py wrote:
 > John C Klensin wrote:
 It is simply not possible to configure those devices
 to support use of static public addresses for hosts
 on the LAN side.

First, this is totally false, see below.

No, it is *partially* false, but unfortunately true in many cases. Some SOHO devices allow to use the outside IP addresses on the inside, and some don't.

More importantly, some that say they allow you to turn off the NAT don't actually work. In the VPNC test lab, we have found some SOHO systems (from more than one vendor, based on code from more than one OEM) where turning off the NAT using the GUI didn't do anything: the NAT was still in force. The vendors had to fix their software before they could continue with our testing because we explicitly do not test with NATs (except for our upcoming testing of IPsec NAT-traversal interop).

The VPNC members were fairly happy to have discovered sooner rather than later that their NAT configuration was not what they thought it was. They were not happy to have to fix their code, of course, but it is better to have to do so early in the shipping cycle before the customer support calls come. On the other hand, one vendor who has a series of boxes that cannot have their NATs turned off said that they essentially never get complaints about it, even though the always-NAT-no-matter-what "feature" is not listed on the box.

Assuming that the system documentation is correct in this area is not a good idea, at least from the hands-on experience in our lab.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]