Re: IKEv2 and NAT traversal

[Alex Alten <Alten@netvista.net>]

>
>I'd find the world a lot happier place without NATs. However, I find it
>likely that IPsec is the one to die if it doesn't live with NATs, and not
>the NATs, regrettably.
>

That's because from a customer perspective IPsec is component to a solution
not a solution in and of itself.  By comparison NAT is a solution to the 
problem of a dwindling set of IPv4 addresses, so it will always be a more
important technology than IPsec in customers minds.

BTW, although IPv6 is a more "pure" way to solve the address space problem,
certainly NAT is a good, practical solution.  By knowing the context of the
in-flight packet (either in the sender's or receiver private net or out on
the public Internet), it allows the effective address space to expand and 
yet preserves backwards compatability with the legacy public IPv4 address 
space.  I actually really like its elegant tradeoffs.  This is what good 
engineering is all about, preserving the old customers capital investment
yet finding an effective away to scale the technology to allow new customers
to use it.

My hat's off to the NAT WG.

- Alex

--

Alex Alten
Alten@NetVista.Com

---

References:

• Re: IKEv2 and NAT traversal
• From: Markus Stenberg <mstenber@ssh.com>

---

• Prev by Date: Re: Son-of-IKE Performance
• Next by Date: Re: I-D ACTION:draft-ietf-ipsec-ciph-sha-256-00.txt
• Prev by thread: comment on draft-spencer-ipsec-ike-implementation-01.txt
• Next by thread: RE: IKEv2 and NAT traversal
• Index(es):
  • Main
  • Thread