>>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes:
Yoav> "direct endpoint-to-endpoint connectivity may not be possible
Yoav> if both endpoints are NATed"
Yoav> Why? There are several protocols (SIP/RTP come to mind) that
Yoav> manage endpoint-to-endpoint connectivity even when both are
Yoav> behind NAT. Why shouldn't IPsec endpoints do this?
yes, sorta.
1) lots of SIP things actually fail through NATs, even when the entire
path is under VoIP/IP provider's control. (For instance Busy-Light
Indicators are sent async).
2) SIP with STUN fails to using the STUN (or TURN) gateway to relay all traffic
when it discovers a restricted-cone NAT. That means that SIP "works"
by sending all traffic to a "data centre" (DC to use the terms in
this ticket)
I think that this issue needs enumerate the kinds of reasons why an
endpoint may be unable to receive connections. In particular, we may
in fact have to detect the various situations and automatically work
around them. (One work around is sometimes to have the captive node
initiate the connection, something that we have the control mechanisms
to do)
pgpRlCgPBXG2i.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
