[LUAU] VPN
Brian Chee
chee at hawaii.edu
Tue Jun 1 21:51:26 PDT 2004
We also need to keep in mind that NAT according to the RFC has been
implemented loosely by many vendors. NAT on the el'cheapo firewalls is NOT a
full implementation like that in Linux. True NAT must keep track of state so
that things like VOIP and video conferencing can get a reply back to their
ack messages when the session is setup. SIP is especially sensitive to such
things (thusly why Vonage is being eaten alive by tech support calls) and
why firewall vendors are struggling to do a full implementation that also
keeps track of state. RTCP used for things like H.323 video conferencing and
many SIP implementations MUST have a reply back on session setup or you get
weird things like calls that ring forever on the caller side, but never ring
answer on the destination.
NATD (aka masquerading) is supposed to be a fuller implementation, but so
far results have been mixed. I'm trying to find enough time to get some
different firewalls built to utilize the VOIP test gear coming in for my
july IP-PBX shootout for Infoworld...I'm especially interested in seeing how
well the new versions of NATD work as well as Zebra. GateD has sold out and
is no longer open source...MITRE corp seems to want a serious pound of flesh
for what started out opensource.
So while this wasn't very helpful (sorry), but I did want to point out that
many folks are considering VOIP and video conferencing while they mumble
under their breath about NAT...and unless you take care, you may find both
leaving you feeling unsatisfied....
/brian chee
-----Original Message-----
From: luau-bounces at lists.hosef.org [mailto:luau-bounces at lists.hosef.org] On
Behalf Of Vince Hoang
Sent: Tuesday, June 01, 2004 9:40 PM
To: Linux/Unix Advocates/Users Hawaiian community discussion list
Subject: Re: [LUAU] VPN
On Fri, May 28, 2004 at 08:58:33PM -1000, Randall Oshita wrote:
> But I was just wondering if port translation is the same as
> port redirection. Is it safe to say that the nat daemon does
> port translation as well as address.
Maybe. I tried natd 5 years ago. It did what I needed it to do at
the time, but I quickly moved to ipf as soon as I had the chance.
If you need help with it, contact me offlist.
> If so then NAT = NAPT. Wonder why lots of ppl use it in
> different context.
NAPT? My googling mentions NAPT as a means to translate IPV4 to IPV6.
I generally see NAT and masquerading/overloading/PAT referred to
collectively as NAT.
-Vince
_______________________________________________
LUAU at lists.hosef.org mailing list
http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
More information about the LUAU
mailing list