[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal





> -----Original Message-----
> 
> > - IKE is a key management protocol. "NAT discovery" doesn't belong
in a
> 
> I agree. Some people in the WG think that we should also allow NATs to
> live, thus we must cope with them. If you do not agree with the IPsec
> WG, then you should complain to WG in general.
> 
> The IPsec WG charter has item:
> 
> ----------------------------------------------------------------------
> The IPSEC working group will restrict itself to the following
> short-term work items to improve the existing key management protocol
> (IKE) and IPSEC encapsulation protocols:
> 
> 1. Changes to IKE to support NAT/Firewall traversal
> ...
> ----------------------------------------------------------------------
> 

This charter item came long after you guys had proposed using IKE for
NAT discovery etc. Didn't you have any input in getting it into the
charter?
If so, don't try to justify a wrong by using the charter item as an
excuse.


> 
> > What design principles is your solution based on?
> 
> Has to work with existing hardware. When this proposal was first made
> none of the NAT boxes did this kind of broken magic on the IKE
> packets, thus it worked fine with NAT boxes out there. Then we
> suddenly noticed that our fine proposal that worked everywhere has
> been broken by people doing some kind of magic that do work sometimes
> somewhere if the phase of the moon is right.
> 
> kivinen@ssh.fi

This argument just does not hold any water.

It's not like your proposal has not changed over past two years.
Moreover, the last time you made a big change, these boxes where already
out there in numbers. 


Regards,
Jayant