On Sat, Aug 17, 2013 at 6:29 PM, Terje Elde <te...@elde.net> wrote: > On 17. aug. 2013, at 16:37, Frank Leonhardt <freebsd-...@fjl.co.uk> wrote: > > This is just the sort of problem Google will have when it buys Facebook > :-) > > Probably not. If Google were to buy Facebook, I'm confident they'd be able > to renumber their networks if they have to. > > > Your explanation of the foul-up possible with NAPT is well made, > although not really talking about the kind of NAT used on Home/SME routers > (one public address hiding many private one) - I'm thinking of Basic NAT - > one-to-one replacement, not one-to-many. (i.e. static address assignment). > All the router (or firewall) needs to do is swap the IP address in the > header as it passes through, and swap it back when it returns. The two > hosts shouldn't notice a thing. > > That's a good theory. In reality, it's much more complicated. > > What about SSL/TLS for example? How would the router swap the header in > an encrypted session?
Same as it would any sessions since only the payload is encrypted. What Frank calls basic nat, most people call static nat(at least people who have read enough Cisco docs) and it works just fine. Also you are confusing headers. IP itself has a header and TCP and UDP each have their own. SIP/TLS works just fine on static nat. IPsec is different as it encrypts the port info but there is almost always something can be done about this at that level. > Swapping headers is also a bit outside the scope of NAT No, it's the entire point of NAT. How do you think the "Translation" occurs? Again you are confusing header levels. In general, NAT doesn't care about whatever info is in the payload, only layer 3 and usually layer 4 and in certain configs layer 5 are pertinent to NAT configs. -- Adam Vande More _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
