> Wasting time in yet another WG > on figuring out how to work around NAT is a bad idea, so the IESG should > revisit the IPsec WG charter. The IESG should do no such thing. IPSEC needs to fix their protocol. > In some parts of the world > IPv6 is being deployed today, so just because you don't see > it happening > in your area is no reason to take the toys to another forum. I am probably more aware of the extent of IPv6 deployment than you are. Yes it does exist, no the extend and pace of deployment does not support your argument that we can all wait for IPv6 to happen. Having been part of the transitioning of a much smaller network from DECNET to OSI I think I have a more realistic understanding of what is involved. > If demand for IPsec is really that strong, why are people > still putting > in NATs when they know that it will be broken? The people who want IPSEC are often different from the people performing NAT attacks on them. > If people really want > IPsec they can still get IPv4 addresses. Yes we need IPsec, and yes we > need to live in a world with IPv4 NAT, but those two > requirements don't > mean the IPsec WG needs to be wasting time figuring out how > to get IPsec > through a NAT. MidCom is working on a generic solution to the problem > for IPv4, and using IPv6 to push the entire IPv4/NAT mess down a layer > gives you a cleaner way out. This is sophistry. IPSEC needs to address the NAT problems that IPSEC introduces. MidCom is not about to go fixing IKE to work through NATs. Again it is very clear that what you are really trying to do here is to kill NAT by some bizare IETF machinations. Won't work, been there tried that. All that approach would do is cause the vendors to diverge further. > I am sorry, I thought this discussion was about traversing NAT to make > IPsec work. So it is really about how to do the easy half (and a small > subset of that), maybe it should be titled 'the client side of a few > applications NAT traversal'. I don't think that it is rational to expect NAT + IPSEC to provide greater connectivity than NAT alone. NAT reduces the functionality of IP, IPSEC + NAT currently eliminates the functionality of IP, the objective of IPSEC has to be to get IPSEC + NAT to give equivalent functionality to plain NAT. Phill
Phillip Hallam-Baker (E-mail).vcf