[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
"Chinna N.R. Pellacuru" <pcn@cisco.com> writes:
> Point taken. We propose to folks who want to use our proposal to reduce
> the SPI space by 16 bits, but not give up their flexibility of using
> different tunnel endpoints to demux incoming ESP/AH traffic.
Having different endpoints necessarily requires your endpoint to
actually be able to use those various IP addresses. If you're in a
situation where you're using NAT, most likely you only have one
address to use on that end, and generally a Security Gateway only has
one address. It's not like a company is going to supply a /24 subnet
to a single Security Gateway.
Also, I think that assuming that you have control over your destiny is
not a very scalable approach. When I visit a hotel and use the
network in my room, I have no control over the NAT box they provide
me.
I want a solution that I can use through _ANY_ NAT box that is
curently deployed, because I don't expect these hotels to spend any
money to upgrade their current hardware.
> chinna
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com