Le Thursday 14 February 2008 16:51:21 ext Iljitsch van Beijnum, vous avez écrit : > > also 6to4 does not work through many NATs. > > The reason that as a rule, you can't do 6to4 through NAT is because > you don't know your 6to4 prefix if you don't know your real IPv4 > address. Whether the packets make it through is a different question. No no no. You can find your external IPv4 address using STUN, Teredo, whatismyip.com, you-name-it, and infer the 6to4 prefix from that. You may further assume that no other host is using proto-41 within the same NAT. It still will not work. IPsec pass-through lets you receive traffic from the IPsec gateway you sent ESP packets to. But for 6to4 to work, you need to receive proto-41 packets from ANY remove peer, owing to the asymmetric routing. I did try for real. (...) > Or, when designing new protocols, the checksum is calculated in such a > way that address translation isn't a problem. Or the implementation > discovers the outer IPv4 address and adjusts its checksum calculation > accordingly. This doesn't make all non-TCP/UDP protocols impossible. Indeed, but all new "real transport" protocols do re-use the "pseudo-IP header" in their checksum computation to date, and I have seen no proposal to change this so far. Also, even then, you're still going to shoot yourself in the foot if multiple hosts try to use the same protocol to the same remote node (which is in fact quite likely), unless the NAT knows how to mangle port numbers for the specific protocol. > > So as was already mentioned, one could > > argue the waist hourglass is HTTP and HTTP/SSL, and this discussion is > > irrelevant. > > Many NATs and firewalls block incoming TCP sessions or unexpected UDP > packets. So if we use the logic "only stuff that works on 100% of all > hosts connected to the internet is relevant" then EVERYTHING is > irrelevant. Agreed. It's just a matter of how many nines you want/need to have. I bet only HTTP can get one single nine by the way :( i.e. >90%. -- Rémi Denis-Courmont _______________________________________________ Ietf@xxxxxxxx http://www.ietf.org/mailman/listinfo/ietf