[Cryptography] peering through NAT

John Denker jsd at av8n.com
Fri May 10 19:23:12 EDT 2019

On 5/9/19 10:00 PM, Christian Huitema wrote:

>  The technique was standardized
> by the IETF in STUN (RFC 5389, 2003).

Somewhat off-topic, but less so than the rest of this thread....

As ||ugh Daniel was fond of pointing out, NAT is an abomination.
It is a sad commentary on the whole industry that we are even
discussing it.

There is a STUN RFC from 2003, but there is an IPv6 RFC from
1995.  IPv6 was already widely supported in the early 00s
e.g. by windows 2000.

It should have been obvious for many years now that every box
that does NAT should do native IPv6 if available, and should
terminate 6to4 (or 6rd) tunnels otherwise.  This his how
every network I've set up in the last 15 years has done it.

a) IPv6 makes a great many NAT-related questions moot.
 Every client on the subnet behind the NAT box can have
 its own globally-routable address.
b) It also simplifies IPsec deployment.
c) Note that (a) and (b) are not unrelated.

When will NAT-box manufacturers get with the program?
You'd think this would be a selling point.
What in the name of Godot are they waiting for?

More information about the cryptography mailing list