[e2e] overlay over TCP

Joe Touch touch at ISI.EDU
Thu Jan 20 08:27:44 PST 2005 


Randall Stewart wrote:
> Joe Touch wrote:
> 
>>> Nope.. you DON'T need to rewrite NAT to do SCTP.. its a simple
>>> set of changes..
>>
>>
>>
>> Let's see. You rewrite your NAT to understand a new protocol number, 
>> where the ports might be, and how to rewrite DATA IN ITS BODY. How do 
>> you accomplish that without "doing SCTP"?
>>
> 
> Would you like me to send you the code? I have it
> done for FreeBSD.. have not went through extensive testing
> yet since I ran out of time and still have the f/w side
> to complete.
> 
> As to "doing SCTP" NAT's don't do TCP.. they know about
> it.. where the ports are, what the c-sum is etc.

And where the data is, which for TCP and DCCP isn't as tricky ;-)

> Same for UDP and of course the same thing is needed
> for SCTP. You have to understand a "SYN" or an "INIT"
> but it is not as complex as you make out.. no more
> complex than having a NAT do TCP...

NATs translate data _inside_ the packets too; that's where 'knowing 
SCTP' is substantially more complex.

>>> You just don't get multi-homing with NAT. But
>>> if you need a NAT chances are you are not too interested in
>>> multi-homing anyway.
>>>
>>> R
>>
>> Well, tell that to people behind multiple firewall NATs at companies 
>> that would like not to be susceptible to one going down. We have a VPN 
>> that goes through such NATs (using UDP) that supports multihoming and 
>> dynamic routing (which is what dynamic choice of a multihomed path is, 
>> IMO), based on a variant of the X-Bone. But then, you knew I preferred 
>> modular solutions based on existing protocols rather than rolling a 
>> vertical stack...
>>
> Well.. one could extend NAT in such a way to support your UDP or
> SCTPish type multi-homing.. but I have never been a proponent of
> such.. it gets ugly. And you end up with the same problem with
> TCP (assuming your earlier routing solution).. since you have
> two different NAT's and they need to share state to know
> what has been translated.. the problems are pretty much the
> same... assuming you of course are not using the same NAT
> for all networks (which would defeat the whole purpose
> of multiple networks ... aka no single point of failure
> since the NAT would be a big one)... so I think the same
> problem exists... NATs are just plain ugly... use them
> and you loose flexibility... unless you continue to hack
> an ugly thing :-D
> 
> R

Fair enough - enough NAT bashing today.

Joe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20050120/aff2c9ec/signature.bin

More information about the end2end-interest mailing list