[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Towards closure on NAT traversal.

To: "'Tony Hain'" <alh-ietf@tndh.net>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, Melinda Shore <mshore@cisco.com>, Jayant Shukla <jshukla@trlokom.com>, ipsec@lists.tislabs.com
Subject: RE: Towards closure on NAT traversal.
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Tue, 5 Mar 2002 08:15:15 -0800
Cc: "'ark-gvb-x'" <ark-gvb-x@minerva.com>
Sender: owner-ipsec@lists.tislabs.com

> Wasting time in yet another WG
> on figuring out how to work around NAT is a bad idea, so the IESG should
> revisit the IPsec WG charter.

The IESG should do no such thing. IPSEC needs to fix their
protocol. 

> In some parts of the world
> IPv6 is being deployed today, so just because you don't see 
> it happening
> in your area is no reason to take the toys to another forum.

I am probably more aware of the extent of IPv6 deployment than
you are. Yes it does exist, no the extend and pace of deployment
does not support your argument that we can all wait for IPv6
to happen.

Having been part of the transitioning of a much smaller network
from DECNET to OSI I think I have a more realistic understanding
of what is involved.

> If demand for IPsec is really that strong, why are people 
> still putting
> in NATs when they know that it will be broken? 

The people who want IPSEC are often different from the people
performing NAT attacks on them.


> If people really want
> IPsec they can still get IPv4 addresses. Yes we need IPsec, and yes we
> need to live in a world with IPv4 NAT, but those two 
> requirements don't
> mean the IPsec WG needs to be wasting time figuring out how 
> to get IPsec
> through a NAT. MidCom is working on a generic solution to the problem
> for IPv4, and using IPv6 to push the entire IPv4/NAT mess down a layer
> gives you a cleaner way out.

This is sophistry. IPSEC needs to address the NAT problems
that IPSEC introduces. MidCom is not about to go fixing IKE
to work through NATs.

Again it is very clear that what you are really trying to do
here is to kill NAT by some bizare IETF machinations. Won't
work, been there tried that. All that approach would do is
cause the vendors to diverge further.

> I am sorry, I thought this discussion was about traversing NAT to make
> IPsec work. So it is really about how to do the easy half (and a small
> subset of that), maybe it should be titled 'the client side of a few
> applications NAT traversal'.

I don't think that it is rational to expect NAT + IPSEC to 
provide greater connectivity than NAT alone. NAT reduces the
functionality of IP, IPSEC + NAT currently eliminates the
functionality of IP, the objective of IPSEC has to be to
get IPSEC + NAT to give equivalent functionality to plain NAT.

		Phill

Phillip Hallam-Baker (E-mail).vcf

Follow-Ups:
- RE: Towards closure on NAT traversal.
  - From: "Tony Hain" <alh-ietf@tndh.net>

Prev by Date: RE: NAT Traversal
Next by Date: RE: NAT Traversal
Prev by thread: RE: Towards closure on NAT traversal.
Next by thread: RE: Towards closure on NAT traversal.
Index(es):
- Date
- Thread