Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rendezvous Wide Area

Hi Felipe,

I also thought that Rendezvous should be used only for LAN, but I recently
(last Monday) attended a seminar from Apple about Rendezvous technology and
they presented the so-called "Wide Area Rendezvous". Mr Stuart Cheshire even
showed us that he has access to his Apple printers (Rendezvous enabled) in
California (the seminar was in Tokyo, Japan) using the Apple VPN. Of course,
the printers were listed using Rendezvous Discovery.

Basically, he explained that RNDV WideArea makes use of "Dynamic DNS Update"
for registration and "Unicast DNS Queries" for Discovery. HE also presented
a slide showing the Architecture of "Dynamic DNS Update" which uses NAT-T
and TSIG.

OK, I didn't made to much research before sending my doubts to the list. The
NAT-T is used to allow the secure communication of two devices in different
LANs. Before the NAT-Transversal, the NAT and IPSec could not work together
because the IPSec changes the IP addresses and confunds the NAT Router. That
is why the NAT-T was created. Now it is possible to use IPSec and provide
Address Translation at the same time.
The TSIG is used for secure DNS. It provides Transaction Signatures.

Actually, we call the protocol NAT-PMP for NAT Port Mapping Protocol. This protocol has nothing to do with secure communication of two devices in different LANs. It simply maps ports in the NAT to allows incoming connections. The NAT device will need to be updated to support NAT-PMP, but the protocol is really easy to implement.

The act of registering your service with Wide-Area Rendezvous will automatically map a public port for you and then the NAT's public IP address and public port will be registered with the DNS service using Dynamic DNS Update. Then other people can browse for your service and connect to you.


What I am trying to figure out now, is how the whole thing should work? I
mean, I already have my device with LAN (local) Rendezvous enabled and
working fine. How can another client reach the services I am publishing if
he is outside my local area? The device service provider must register it
using DNS Update?

In order for Wide-Area Rendezvous to work, you'll need to register your services with a centralized DNS server. Either you'll provide the server yourself, or potentially you'll use an ISP's server, assuming the ISP were to provide Dynamic DNS Update service.


And to discover services outside the Local Area? The client need only to
perform a normal DNS query for that service using Unicast UDP? 

Exactly.

-Marc





Answer your questions:
What do you mean 'static' NAT? Do you mean static IP addresses and port
forwarding? 
Yes, that is exactly what I meant.


Felipe

-----Original Message-----
From: Cameron Kerr [mailto:email@hidden]
Sent: Friday, November 12, 2004 2:03 PM
To: Felipe Bittencourt
Subject: Re: Rendezvous Wide Area


On 12/11/2004, at 2:24 PM, Felipe Bittencourt wrote:

I am trying to study the Rendezvous for Wide Area Networks. 

Rendezvous was not designed for a WAN, or even a multi-subnet LAN, as
it uses Link Local Multicast and thus cannot pass through routers.

However, that said, you should remember that Rendezvous is an
implementation of ZeroConf. ZeroConf is designed for networks without
infrastructure (certainly not Rendezvous).

Recall that ZeroConf contains three parts

1) Automatic address assignment, without DHCP. In an infrastructure
network, DHCP can be used (in fact, DHCP should be tried before using a
link-local address.

2) Name lookup without DNS. In Rendezvous, multicast DNS (mDNS) is
used, though there is no ratified protocol for this task for ZeroConf,
although I think mDNS is the most likely. In infrastructure networks,
mDNS (.local.) would be used instead. In a well-integrated system,
.local would be handled by the resolver library.

3) Service advertisement and discovery. In Rendezvous, DNS-SD is used,
although there is no ratified protocol for ZeroConf. DNS-SD does not
depend on mDNS, and can be used in either ad-hoc or infrastructure
networks.

 Since I am new
to the TSIG and NAT-T protocols I was wondering if someone could
provide me
with more explanations about Rendezvous for Wide Area?


For more information about TSIG, look around for information regarding
DNSSEC (DNS Security).

NAT-T, AFAIK, is not a protocol, but a technique. In essence, it just
means that the client needs to use the routers public address instead
of its own when writing the address into the data-stream. Are you
thinking of the NAT-T facility in IPSec stacks?

It would be nice to have some document explaning the whole thing...
Some doubts that I already have are:

1- How can a service be discovered behind a NAT translator? 

Best bet would be to use SLP (Service Location Protocol). In fact, Mac
OS X used SLP until 10.2(?). By the way, can anyone point to a reason
(preferably documentation) as to why they switched?

If you used SLP you could run a discovery agent (DA in SLP parlance)
either on the NAT router or through it using port forwarding, but this
would require two things

1) Addresses for advertised services would need to be changed (probably
using some special connection tracking module, or a patched DA)

2) Ports would need to be opened on the router, probably dynamically.
To do this, UPnP could be used, but only if a) the DA was patched to
act as a UPnP agent, and b) the router understood UPnP.

If you instead wanted to use DNS-SD, you would just need to open a port
to your DNS server. However, packets would need to be rewritten as they
go through the NAT. Even if you put the DNS server on the router, you
would still need to do this, and open ports on the router as new
services are added.

BTW, AFAIK, Mac OS X does not, at this time, support the use of unicast
DNS for use with DNS-SD as part of Rendezvous, which is quite
disappointing. (If anyone can point me to a document saying how to use
Rendezvous/DNS-SD on Mac OS X for infrastructure networks, I would love
to hear from you.)

Do we need to use static NAT? 

What do you mean 'static' NAT? Do you mean static IP addresses and port
forwarding?

--
Cameron Kerr
email@hidden; http://humbledown.org

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Rendezvous-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/rendezvous-dev/email@hidden

This email sent to email@hidden 

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Rendezvous-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/rendezvous-dev/email@hidden

This email sent to email@hidden
References: 
 >RE: Rendezvous Wide Area (From: "Felipe Bittencourt" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.