undefined | Better HN

0 pointsbuzer3y ago0 comments

One could argue that if e.g. FTP is not working behind the NAT then the NAT is misconfigured. NAT needs to aware of certain protocols so that it can modify the application layer data.

Of course, if the protocol added workaround for NAT and NAT is modifying that application layer data then it can cause another set of issues.

0 comments

bert643y ago

IP networking was designed with separate layers, NAT breaks this by having to span multiple layers. Generally NAT gateways only support TCP/UDP, other protocols are simply not supported, which has basically stifled protocol innovation (eg look at SCTP, it has some neat features but is hardly ever used because of NAT).

It gets even worse with higher level protocols like FTP. There is such a thing as FTPS (FTP over SSL) but it's rarely used because if you encrypt the traffic then the NAT gateway can't inspect and rewrite the traffic.

The same is true of IPSEC/ESP, if you have an encrypted TCP packet encapsulated with ESP the NAT gateway can't keep track of which internal host to forward it to because it can't see the source and destination ports.

A normal router does not need to care about anything further up the stack than IP. A firewall does, but even when a firewall doesn't explicitly support a particular protocol you could write a rule allowing any traffic with a particular protocol number between specific hosts is allowed, and anything else denied.

j / k navigate · click thread line to collapse

0 pointsbuzer3y ago0 comments

One could argue that if e.g. FTP is not working behind the NAT then the NAT is misconfigured. NAT needs to aware of certain protocols so that it can modify the application layer data.

Of course, if the protocol added workaround for NAT and NAT is modifying that application layer data then it can cause another set of issues.

0 comments

bert643y ago

j / k navigate · click thread line to collapse