>>>>> "Yoav" == Yoav Nir <y...@checkpoint.com> writes: Yoav> "direct endpoint-to-endpoint connectivity may not be possible Yoav> if both endpoints are NATed"
Yoav> Why? There are several protocols (SIP/RTP come to mind) that Yoav> manage endpoint-to-endpoint connectivity even when both are Yoav> behind NAT. Why shouldn't IPsec endpoints do this? yes, sorta. 1) lots of SIP things actually fail through NATs, even when the entire path is under VoIP/IP provider's control. (For instance Busy-Light Indicators are sent async). 2) SIP with STUN fails to using the STUN (or TURN) gateway to relay all traffic when it discovers a restricted-cone NAT. That means that SIP "works" by sending all traffic to a "data centre" (DC to use the terms in this ticket) I think that this issue needs enumerate the kinds of reasons why an endpoint may be unable to receive connections. In particular, we may in fact have to detect the various situations and automatically work around them. (One work around is sometimes to have the captive node initiate the connection, something that we have the control mechanisms to do)
pgpRlCgPBXG2i.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec