NAT-T

Contributed by jose on 2003-11-15 from the NAT-traversal dept.

DarkThor wonders: "Hey there...
I've been using OpenBSD for years and I just love it but I am forced to use linux slack to implement vpn with nat-t (still ietf draft) using superfreeswan.
I've already used isakmpd but in our case is mandatory to support nat-t.

So... is there any way to implement vpn using nat-t on openbsd? Thanks in advance."

(Comments are closed)

Comments

By Aha! () on 2003-11-15 05:07

On this very website was a comment that NAT-T isn't being included in ISAKMP for some reason:

http://www.deadly.org/article.php3?sid=20031024105820&mode=flat
Comments
1. By Ralf () on 2003-11-15 07:46
  
  Question is: Are the NAT-T patches even available?
  
  http://www.monkey.org/openbsd/archive/misc/0301/msg01244.html
  seems to indicate they are not. Any news on this?
  Comments
  1. By djm () on 2003-11-15 08:21
    
    IIRC there were working patches, but noone on the IETF ipsec working group mailing list would give Markus a straight answer as to what aspects of NAT-T are covered by patents. It seems silly that a fairly simple UDP encapsulation could be patented, but stranger things have happened...
    
    Comments
    
    By SH () on 2003-11-15 10:56
    
    It seems strange that they would not give this information, if they knew it. Perhaps the patents themselves are not that clear.
    
    /SH
    
    By Anonymous Coward () on 2003-11-18 14:51
    
    It is not really your responsibility to prove that all possible work you do is NOT patented, it is a patent holder's responsibility to prove that you have violated his patent. Of course, you need to do some responsible diligent research to make sure you don't knowingly violate patents, but in this case, that research has been done.
    
    From what I have seen on the mailing lists, markus did what research he could and got no answer. If these patents aren't even granted, only applied for, and the application owners won't comment, it may be that he has performed what due diligence is possible, and it's OK to release the code. It is always possible to take it away later; there is nothing in the OpenBSD license forbidding that.
    
    It is not really a helpful to say "go research the issue instead of arguing with the person doing the work," because it solves nothing. OpenBSD is released in the hope that someone may find it useful. Like all such projects, it lives or dies by volunteer effort and donations. If the official volunteer does not want to release code, someone else can release patches to do the task that the maintainer won't do.
    
    I may be in the same position of having to reinstall a Linux VPN to get NAT-T, after having just installed an OBSD VPN. Luckily the CD was only 40 bucks. That's not really a terrible thing to deal with, is it? At least I know that I could hire my own programmer if I really needed NAT-T on OpenBSD, which is one of the big points of using free software.
By markus () markus@openbsd.org on 2003-11-16 00:07 mailto:markus@openbsd.org

if you resolve the IPR/patent issues,
then i'll commit my patches.
Comments
1. By Anonymous Coward () on 2003-11-15 14:11
  
  Is OpenBSD always going to suffer anytime anyone says "I patented something kinda simlilar to something you are thinking about"? Is there even a patent, or just a patent application has been filed? UDP encapsulation isn't a big deal, and I see no patents on it, so what's the problem? Why does the US patent office make decisions for OpenBSD anyways?
  Comments
  1. By Anonymous Coward () on 2003-11-15 14:32
    
    http://l2.espacenet.com/dips/viewer?PN=AU1879599&CY=fi&LG=fi&DB=EPD
    
    Comments
    
    By Anonymous Coward () on 2003-11-15 14:47
    
    First of all, it describes automatically discovering "tranformations" occuring between 2 end points and working around it. It doesn't cover encapsulating a protocol in another, for which there would be ample prior art anyways. Assuming the implimentation would be a configuration option for turning on/off UDP encapsulation, that patent isn't relevant at all.
    
    Second, did you read any of the other patents it cites? Ones like the patent on authenticating a packet? I guess ipsec should be removed from OpenBSD totally then huh?
    
    OpenBSD could be found to be infringing on dozens of overly vague patents on things that can't be patented, does that mean its time to close up shop and forget about this whole programming thing?
    
    Comments
    
    By Anonymous Coward () on 2003-11-15 18:00
    
    Yes I read it. It was just the first one to show up when doing a brief google search. There has been much FUD about NAT-T from various parties where the mention they have or don't have or potentially don't have or grant fair use for a series of patents that explains the caution the OpenBSD project is approaching this issue.
    
    unless you really really can garantee there is no patent....
    
    Comments
    
    By Anonymous Coward () on 2003-11-15 19:42
    
    You can't guarentee there is no patent on tons of things, does that mean we should stop using computers for fear of accidently infringing on a bogus patent? Is ipsec support being removed, since its covered under patents?
    
    By markus () on 2003-11-17 05:22
    
    http://www.ietf.org/ietf/IPR/SSH-HUTTUNEN-IPSEC-ESP-IN-UDP
    http://www.ietf.org/ietf/IPR/SSH-NAT
    http://www.ietf.org/ietf/IPR/MICROSOFT-NAT-Traversal.txt
    http://www.ietf.org/ietf/IPR/microsoft-ipr-draft-ietf-ipsec-ikev2.txt
    
    If these don't apply to NAT-T then fine.
    
    If you show, that these don't apply then
    fine. The problem is: I don't want to
    have to show that they are no problems.
    
    All the statements are vague, and nobody could
    point out a what applies and what not.
    
    If you're going to do this work, fine.
    
    Comments
    
    By Anonymous Coward () on 2003-11-17 17:02
    
    Those are emails saying "we might have a patent that might be covered by nat-t, but we will let you use it anyways if its required to comply with the spec". You don't have to prove you aren't infringing, there is no way to prove that. I'm sure there are still countries where openbsd crypto isn't legal, but you are still shipping that. Wouldn't http://l2.espacenet.com/espacenet/viewer?PN=US5633931&CY=fi&LG=fi prevent you from shipping ipsec under this bizzare logic? Or http://l2.espacenet.com/espacenet/viewer?PN=US5793763&CY=fi&LG=fi should be enough to get NAT removed from OpenBSD right?
    
    Comments
    
    By markus () on 2003-11-17 18:41
    
    i don't know why you are mixing things. what
    bizarre logic are you talking about? it's
    obvious that many people claim IPR on NAT-T
    and all i'm saying, that these things should
    be looked into first.
    
    Comments
    
    By Anonymous Coward () on 2003-11-17 18:52
    
    Right, its obvious that people claim patents on nat-t. Its also obvious that people claim patents on nat, and on authenticating packets, and tons of other things that are already in OpenBSD. What's the difference? What is so special about this particular circumstance that makes it so openbsd users have to suffer with using linux just to have a VPN? Are you trying to protect yourself from lawsuits? Protect OpenBSD from lawsuits? Protect OpenBSD users from lawsuits? None of the above can even be accomplished, and all this is doing is making OpenBSD less useful than it could be. All I want to know is why.
    
    Comments
    
    By djm () on 2003-11-17 20:27
    
    Why don't you spend some of that enthusiasm on trying to find out the applicability of the patents to OpenBSD rather than arguing with the person who actually does the work?
    
    By markus () on 2003-11-18 07:42
    
    i just want to know what technical details these claims are about so we can work around this issues.
2. By Anonymous Coward () on 2003-11-15 16:46
  
  Markus,
  
  Is it possible to get those patents for those of us willing to try it regardless of patent issues?
  
  Thanks!
  Comments
  1. By Anonymous Coward () on 2003-11-18 00:08
    
    no, because that could be illegal :(
    
    Comments
    
    By Anonymous Coward () on 2003-11-18 07:26
    
    What if I sign a NDA?
By Anonymous Coward () on 2003-11-17 14:45

Wasn't OpenBSD going to be developed in free countries as opposed to the US? What's with these patent stuff then?

Just let someone where these patents are invalid develop the stuff (just like with crypo regulations before). I thought the OpenBSD people was all for fighting these fights in a very pragmatic way -- not lying face down saying there's nothing they can do!
Comments
1. By markus () on 2003-11-17 16:41
  
  unlinke you, i'm doing something

Latest Articles

Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (11)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]