> PS: Can I repeat my mantra? NAT is the spawn of the devil and should > be eradicated from the face of the planet. If necessary, we should > nuke it from orbit -- it's the only way to be sure! You can repeat it as long as you like, just recognise that the need for NAT arose in part from design decisions the IETF itself screwed up and that an Internet protocol, particularly a security protocol has no business being deployed if it can't cope with NAT. Like it or not, NAT is part of the infrastructure we have to deal with in the real world. It is as much a part of the Internet as sendmail or any of the other junk that is out there. On the other hand I don't see any reason that ESP mode needs to work with NAT, but then again I never saw a need for ESP. I think it is important that a solution is decided upon quickly however. Otherwise the number of ad-hoc fixes that grow up to fix the NAT problem will grow exponentially and with it the number of additional targets that Derek will be lobbying to add to the axis of evil. The problem with NAT suggests to me that their authentication role was not properly understood in IPSEC. I have never seen an internet service advertised by IP address (except for the A root). Ergo it is not a primary authentication point. The IP address is sometimes a secondary authentication mechanism and should be validated as part of the process of establishing an SA. Phill
Phillip Hallam-Baker (E-mail).vcf