[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKEv2 and NAT traversal
henry@spsystems.net (Henry Spencer) writes:
> On 12 Dec 2001, Markus Stenberg wrote:
> > > Since that NAT people insisted on running on the same port using a
> > > terrible hack to get around a number of imaginary problems, frankly, I
> > > think that this is the NAT people's problem.
> >
> > I'm tired of reiterating same stupid arguments over and over. See
> > draft-ietf-ipsec-udp-encaps-justification-00.txt section 7.2.
> Perhaps you need to come up with some non-stupid arguments, because
> section 7.2 is pretty feeble justification for such a gut-wrenchingly bad
> design.
It minimizes complexity, which is important consideration.
> (I distinguish here between the requirement and the proposed solution.
> NAT traversal, although somewhat distasteful, is defensible. Committing
> unspeakable acts on an existing port in the name of NAT traversal is not.)
>
> Speaking as an implementor, I would much rather solve the problems noted
> in section 8.4 than the ones perpetrated in section 7.2.
Don't hesitate to send your own draft if you have solutions to those. The
current one's conclusion of maybe two years of collaboration between
multiple companies' people, and there HAS been thought on the 8.4 also.
I'd like to find the perfect solution also, which wouldn't need any
overhead, complexity or anything else either; this involves assassinating
few NAT people/vendors, though.
(Or the 'second coming of <your selected religious messiah>', aka total IPv6)
> Henry Spencer
> henry@spsystems.net
-Markus
--
Markus Stenberg <stenberg@ssh.com> of SSH Communications Security (www.ssh.com)
Chief Engineer / SSH 囲碁先生
References: