Dear all, just a comment inline. Best regards Michael On Feb 14, 2008, at 4:09 PM, Rémi Denis-Courmont wrote: > Le Thursday 14 February 2008 16:51:21 ext Iljitsch van Beijnum, vous > avez > écrit : >>> also 6to4 does not work through many NATs. >> >> The reason that as a rule, you can't do 6to4 through NAT is because >> you don't know your 6to4 prefix if you don't know your real IPv4 >> address. Whether the packets make it through is a different question. > > No no no. You can find your external IPv4 address using STUN, Teredo, > whatismyip.com, you-name-it, and infer the 6to4 prefix from that. > You may > further assume that no other host is using proto-41 within the same > NAT. > > It still will not work. IPsec pass-through lets you receive traffic > from the > IPsec gateway you sent ESP packets to. But for 6to4 to work, you > need to > receive proto-41 packets from ANY remove peer, owing to the asymmetric > routing. I did try for real. > > (...) >> Or, when designing new protocols, the checksum is calculated in >> such a >> way that address translation isn't a problem. Or the implementation >> discovers the outer IPv4 address and adjusts its checksum calculation >> accordingly. This doesn't make all non-TCP/UDP protocols impossible. > > Indeed, but all new "real transport" protocols do re-use the "pseudo- > IP > header" in their checksum computation to date, and I have seen no > proposal to > change this so far. SCTP does NOT use a pseudo IP header for its checksum calculation. > > > Also, even then, you're still going to shoot yourself in the foot if > multiple > hosts try to use the same protocol to the same remote node (which is > in fact > quite likely), unless the NAT knows how to mangle port numbers for the > specific protocol. > >>> So as was already mentioned, one could >>> argue the waist hourglass is HTTP and HTTP/SSL, and this >>> discussion is >>> irrelevant. >> >> Many NATs and firewalls block incoming TCP sessions or unexpected UDP >> packets. So if we use the logic "only stuff that works on 100% of all >> hosts connected to the internet is relevant" then EVERYTHING is >> irrelevant. > > Agreed. It's just a matter of how many nines you want/need to have. > I bet only > HTTP can get one single nine by the way :( i.e. >90%. > > -- > Rémi Denis-Courmont > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > http://www.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf@xxxxxxxx http://www.ietf.org/mailman/listinfo/ietf