[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT Traversal
Bill Sommerfeld wrote:
>
> > I am suggesting that the original concept of IPsec SA being identified by
> > a tuple: destination IP, protocol, SPI be required, and within the SPI add
> > new semantics for picking a SPI on the phase2 responder.
>
> I strongly object.
>
> UDP encapsulation works JUST FINE to get through NATs which aren't
> trying to be too clever (and it appears that there are other
> workarounds to deal with overly-clever NATs).
I agree. By handling NATs through UDP encapsulation, you will get
through most if not all NATs. And if the cost can be kept down to
only the addition of 8 or 16 bytes, would that be too much?
Henrik
>
> There's no need to introduce potential vulnerabilities/points of
> collision/etc. elsewhere in the system.
>
> - Bill
>