No. IPSEC and SIP break because their payloads include information that is dependent on the IP address header. In the case of IPSEC, this is to support end-to-end authentication and avoid certain kinds of man-in- the-middle attacks. In the case of SIP, it's because SIP is a call setup protocol which facilitates the creation of an RTP session. It's much the same problem as FTP. The reason FTP doesn't BORK is because most NAT gateways understand about the need to proxy FTP and because PASSIVE mode FTP doesn't have the same call-setup problems. In the case of IPSEC, there is an IPSEC standard for NAT traversal. It allows for a slight compromise in the end-to-end security while still preserving most of the capabilities of IPSEC. UDP works just fine through NAT, as evidenced by DNS and other protocols that aren't inherently broken with NAT. (Of course, DNS could suffer from the same effects as SIP on some levels since the contents of the DNS A record answers may be dependent on an un-natted world). Owen --On Wednesday, October 29, 2003 10:57 AM +0000 Dave Howe <DaveHowe@gmx.co.uk> wrote:
Avleen Vig wrote:
If "more IP addresses" is the only motivation for using IPv6, it's really not enough. For environments where direct access to the internet isn't required, NAT serves perfectly well. IPSec, SIP/VoIP or almost anything that relies on UDP borks on NAT, doesn't it?
-- If it wasn't signed, it probably didn't come from me.