[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT

To: Dan.McDonald@Eng.Sun.Com (Dan McDonald)
Subject: Re: IPSEC and NAT
From: hsw@columbia.sparta.com (Howard Weiss)
Date: Tue, 26 Aug 1997 07:54:30 -0400 (EDT)
Cc: tytso@MIT.EDU, ipsec@tis.com
Fax: (410) 381-5559
In-Reply-To: <199708260032.RAA12717@kebe.eng.sun.com> from "Dan McDonald" at Aug 25, 97 05:32:18 pm
Organization: SPARTA Inc. (Secure Systems Engineering Division)
Phone: (410) 381-9400 x201
Sender: owner-ipsec@ex.tis.com
Usmail: 9861 Broken Land Parkway, Suite 300, Columbia MD 21046

> 
> > Unfortunately, there's a huge number of companies that very foolishly
> > invested a large amount of money in NAT boxes, for better or for worse,
> > and the auto industry in particular is apparently committed to spend
> > millions to perpetuate this architectural eyesore, because apparently
> > would be far more expensive to undo this mistake.

I could not agree more that NAT is an architecture kludge.  But we've
been there before (anyone remember ARPAnet IMP port expanders?).  And,
coming from a personal experience of *almost* having to renumber an
entire corporate structure when we switched Internet providers, using
internal-only addresses that never have to be changed regardless of
ISP, IPvX, CIDR, etc has its appeal to the end-use.


> > In any case, NAT is far outside the scope of this working group ---
> > although wishing that the problem will go away won't make it so,
> > especially if there's enough money in the market places forcing vendors
> > to invent solutions that accomodates this fundamentally broken
> > technology.
> 
> I could make some choice comments here about NAT being what happens when we
> don't deploy the _right_ solution (IMHO the right solution is IPv6, or any
> IPng) quickly enough.

Absolutely!  However (and not to bring up the renumbering issue(s)
again), it is really a royal pain to renumber an entire organization
and so the solution must also take into account that we have enough
addresses to cover every pipe valve in the world and therefore would
never have to renumber.

> I could also say that I hope we (and I cheerfully include myself in "we")
> don't make the same mistake w.r.t. being too slow to deploy the _right_
> solution.
> 
> Dan
> 

Hear, hear!



Howie

-- 
 ___________________________________________________________________
|                                                                   |
|Howard Weiss                        phone (410) 381-9400 x201      |
|SPARTA, Inc.                              (301) 621-8145 x201 (DC) |
|9861 Broken Land Parkway, suite 300 fax:  (410) 381-5559           |
|Columbia, MD 21046                  email: hsw@columbia.sparta.com |
|___________________________________________________________________|

References:

Re: IPSEC and NAT

From: Dan.McDonald@Eng.Sun.Com (Dan McDonald)

Prev by Date: Re: order/nesting of IPsec headers (transport mode)
Next by Date: Re: IPSEC and NAT and the BIG PICTURE
Prev by thread: Re: IPSEC and NAT
Next by thread: Re: IPSEC and NAT and the BIG PICTURE
Index(es):
- Main
- Thread