Observations
Goal is a solution that works all the time
- Solutions that only work in some circumstances are too expensive to support and maintain
- Example of a partial solution: Linux Masquerade (many limitations)
Implementing tunneling on the NAT (RFC 2709) may not be practical
- Few inexpensive NAT implementations support IPSEC
- IT organizations uncomfortable with this solution, some ban it
Client-NAT communication may not be possible if the client and NAT exist within different administrative domains
- Example: Doubletree Hotel has deployed a NAT for use by guests
IPv6 requires modifications to both hosts and routers
- “Solutions” requiring modifications to both will encounter similar deployment obstacles
- Since every solution requires host modifications, key to deployability is minimizing NAT changes
NAT discovery is important, but difficult
- Important: Don’t want to operate in “NAT compatibility mode” all the time
- Difficult: Clients may not know whether there is a NAT in the path
- The NAT may not exist in the first hop router, but at an intermediate point
- A good NAT discovery solution should not rely on client-NAT communication
- Better to “discover” NATs through evidence of their operation
- This requires cooperation between the endpoints