RE: [Pana] NAT issue

To: "'Yoshihiro Ohba'" <yohba at tari.toshiba.com>, "'Tschofenig, Hannes'" <hannes.tschofenig at siemens.com>
Subject: RE: [Pana] NAT issue
From: "Alper Yegin" <alper.yegin at yegin.org>
Date: Fri, 9 Mar 2007 15:34:35 +0200
Cc: pana at ietf.org
In-reply-to: <20070309125712.GA24607@steelhead>
List-help: <mailto:pana-request@ietf.org?subject=help>
List-id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-post: <mailto:pana@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
Thread-index: AcdiSoV8MRSL8G5qQC2Qf+afyJiJiAABNIbQ

> On Fri, Mar 09, 2007 at 11:27:13AM +0100, Tschofenig, Hannes wrote:
> > Good catch, Yoshi.
> >
> > I assume that you would like to fix it by sending PAA initiated messages
> to the port and address of the last received message.
> 
> Yes, and we still need to make sure that one of source and destination
> ports of any PANA message carries well-known PANA port.

... so that sniffers can still catch the PANA signals.

Also, PAA cannot initiate a PANA session with a PaC behind the NAT. Session can only be initiated by the PaC in that case (by sending the PCI). 

Alper




> 
> Yoshihiro Ohba
> 
> 
> 
> >
> > Ciao
> > Hannes
> >
> > > -----Urspréãgliche Nachricht-----
> > > Von: Yoshihiro Ohba [mailto:yohba at tari.toshiba.com]
> > > Gesendet: Freitag, 9. MéBrz 2007 04:40
> > > An: pana at ietf.org
> > > Betreff: [Pana] NAT issue
> > >
> > > In the current draft:
> > >
> > > "
> > >    When the PANA message is sent in response to a request, the UDP
> > >    source and destination ports of the response message MUST be copied
> > >    from the destination and source ports of the request message,
> > >    respectively.
> > >
> > >    For other PANA messages, the source port MUST be set to a value
> > >    chosen by the sender and the destination port MUST be set to the
> > >    assigned PANA port (To Be Assigned by IANA).
> > > "
> > >
> > > According to this, a PAA-originated request will be always sent to
> > > PANA port.  If there is a NAT between PaC and PAA, this does not seem
> > > to work, because the NAT is typically expecting incoming messages to
> > > be received on the port that was used as the source port of outgoing
> > > messages.
> > >
> > > Yoshihiro Ohba
> > >
> > >
> > > _______________________________________________
> > > Pana mailing list
> > > Pana at ietf.org
> > > https://www1.ietf.org/mailman/listinfo/pana
> > >
> >
> >
> 
> _______________________________________________
> Pana mailing list
> Pana at ietf.org
> https://www1.ietf.org/mailman/listinfo/pana


_______________________________________________
Pana mailing list
Pana at ietf.org
https://www1.ietf.org/mailman/listinfo/pana

References:
- Re: [Pana] NAT issue
  - From: Yoshihiro Ohba

Prev by Date: Re: [Pana] NAT issue
Next by Date: Re: [Pana] Re: Reliable delivery (AD comment)
Previous by thread: Re: [Pana] NAT issue
Index(es):
- Date
- Thread

RE: [Pana] NAT issue

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.