[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Derek Atkins <derek@ihtfp.com>
Subject: Re: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Thu, 7 Mar 2002 10:36:39 -0800 (PST)
cc: Stephen Kent <kent@bbn.com>, ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <sjmeliwwait.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com

On 7 Mar 2002, Derek Atkins wrote:

> "Chinna N.R. Pellacuru" <pcn@cisco.com> writes:
>
> > Point taken. We propose to folks who want to use our proposal to reduce
> > the SPI space by 16 bits, but not give up their flexibility of using
> > different tunnel endpoints to demux incoming ESP/AH traffic.
>
> Having different endpoints necessarily requires your endpoint to
> actually be able to use those various IP addresses.  If you're in a
> situation where you're using NAT, most likely you only have one
> address to use on that end, and generally a Security Gateway only has
> one address.  It's not like a company is going to supply a /24 subnet
> to a single Security Gateway.

If someone has just one IP address to use as his local endpoint, then
probably 64K IPsec connections is more than enough for him. That box has
to first be able to handle so many IPsec connections.

>
> Also, I think that assuming that you have control over your destiny is
> not a very scalable approach.  When I visit a hotel and use the
> network in my room, I have no control over the NAT box they provide
> me.
>

As I have repeated many times, our proposal is geared more towards people
who can plan their network end-to-end. It is becoming more and more
important as people are putting buissiness critical applications on thier
network, for them to plan their network end-to-end. If you think you have
total control over your destiny, our solution is the one you should be
supporting :-) Network designers, IT administrators and others who have
total control over what solution they want for their network should
support us, because you can save yourself the overhead of UDP
encapsulation and other overheads.

Please refer to the mail I sent enumarating our reasons for coming up with
a different solution to the udp encapsulation scheme.

> I want a solution that I can use through _ANY_ NAT box that is
> curently deployed, because I don't expect these hotels to spend any
> money to upgrade their current hardware.
>

I don't think there is any current proposal that has been disclosed and
discussed fully on this list, that can do that. I agree that you will have
a better chance of getting IPsec through unknown NAT boxes if you use UDP
encapsulation, assuming that those NAT boxes don't have any hacks to deal
with broken IPsec implementations. Even if we hit a NAT box has a hack for
broken IPsec implementations, we can influence the NAT box owners to
upgrade and remove that hack so that our IPsec implementation which is not
broken can go through.

As far as hotels are concerned, I will choose a hotel who is more oriented
towards a business traveller, and who is willing to accomidate any
reasonable requests from its clients. What is the use of an Internet
connection in every room if the hotel's equipment doesn't support an
important VPN technology like IPsec.

    chinna

Follow-Ups:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

References:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: Re: Choosing between IKEv2 and JFK
Next by Date: Re: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread