[Bug 219918] LibAlias: implement RFC 4787 REQ 1 and 3 (full cone NAT)

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 15 Oct 2024 16:07:17 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219918

--- Comment #12 from Damjan Jovanovic <damjan.jov@gmail.com> ---
(In reply to Kurt Jaeger from comment #10)

EIM = endpoint-independent mapping, same abbreviation that is also used in RFC
6887 (if not more RFCs). They also used EDM = endpoint-dependent mapping
(address and port-dependent mapping in RFC 4787).

There are several problems with "full cone":
- The RFC that invented the term, RFC 3489, is now obsolete, and the new
version of it, RFC 5389, no longer uses that term.
- All the NAT types described in RFC 3489 confused 2 different concepts:
mapping (how packets change going out) and filtering (what can come back in).
See the table below for a comparison of RFC 3489 and RFC 4787 terms under
different settings.
- When EIM and PKT_ALIAS_DENY_INCOMING are both set, it is no longer a "full
cone" NAT, it would be a "port restricted cone" NAT instead.

           |               |                                                |
PKT_ALIAS_ | PKT_ALIAS_    |                                                |
EIM        | DENY_INCOMING | NAT type, by RFC                               |
Comment
-----------+---------------+------------------------------------------------+-----------
     unset |        unset  | RFC 4787: address and port-dependent mapping   |
These are
           |               |           address and port-dependent filtering |
the only
           |               | RFC 3489: "symmetric" NAT                      |
ways that
-----------+---------------+------------------------------------------------|
libalias
     unset |          set  | RFC 4787: address and port-dependent mapping   |
works
           |               |           address and port-dependent filtering |
at
           |               | RFC 3489: "symmetric" NAT                      |
present.
-----------+---------------+------------------------------------------------+-----------
       set |        unset  | RFC 4787: endpoint-independent mapping         |
My patch
           |               |           endpoint-independent filtering       |
adds
           |               | RFC 3489: "full cone" NAT                      |
these
-----------+---------------+------------------------------------------------|
bottom
       set |          set  | RFC 4787: endpoint-independent mapping         | 2
rows
           |               |           address and port-dependent filtering |
as
           |               | RFC 3489: "port restricted cone" NAT           |
options.

-- 
You are receiving this mail because:
You are the assignee for the bug.