[136566] in North American Network Operators' Group
RE: quietly....
daemon@ATHENA.MIT.EDU (Matthew Huff)
Thu Feb 3 14:42:23 2011
From: Matthew Huff <mhuff@ox.com>
To: "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu>
Date: Thu, 3 Feb 2011 14:39:15 -0500
In-Reply-To: <37955.1296761312@localhost>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Trust me, I'm very familiar with FTP and firewalls. The problem is not just=
with NAT, but exists with SPI. Both are solved problems that work with NAT=
. Something like ftp over SSH works well without fixup or NAT issues and is=
becoming more standard at least in the financial services community.
IPSEC to a NAT/SPI firewall works fine, through it has issues. But then aga=
in, rarely do you want that in a corporate network anyway.
> -----Original Message-----
> From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
> Sent: Thursday, February 03, 2011 2:29 PM
> To: Matthew Huff
> Cc: Owen DeLong; nanog@nanog.org
> Subject: Re: quietly....
>=20
> On Thu, 03 Feb 2011 13:41:26 EST, Matthew Huff said:
> > Owen, can you point to a application protocol that is broken via NAT th=
at
> > isn't a p2p protocol or VoIP?
>=20
> The only reason FTP works through a NAT is because the NAT has already
> been hacked up to further mangle the data stream to make up for the
> mangling it does.
>=20
> I'm told that IPSEC through a NAT can be interesting too... And that's
> something I'm also told some corporations are interested in.
