[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] Proposed changes to IKEv2 based on IESG comments

To: Michael Richardson <mcr@sandelman.ottawa.on.ca>, "Charlie Kaufman" <charliek@microsoft.com>
Subject: Re: [Ipsec] Proposed changes to IKEv2 based on IESG comments
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Tue, 20 Jul 2004 08:19:56 -0700
Cc: ipsec@ietf.org
In-reply-to: <28340.1090333309@marajade.sandelman.ottawa.on.ca>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <F5F4EC6358916448A81370AF56F211A503504414@RED-MSG-51.redmond.corp.microsoft.com> <28340.1090333309@marajade.sandelman.ottawa.on.ca>
Sender: ipsec-bounces@ietf.org

At 10:21 AM -0400 7/20/04, Michael Richardson wrote:
>  >>>>> "Charlie" == Charlie Kaufman <charliek@microsoft.com> writes:
>     Charlie> ********MOST LIKELY TO BE CONTROVERSIAL********
>     >> 2.19: Use IP addresses from the sample range (RFC 3330) instead
>     >> of RFC 1918 addresses.
>
>     Charlie> RFC3330 reserves addresses of the form 192.0.2.0/24 for
>     Charlie> examples in documentation. Unfortunately, negotiation of
>     Charlie> traffic selectors requires specification of two
>     Charlie> subnets. They are currently taken from 10.*, which is
>     Charlie> reserved for local use. While in theory, on might divide
>     Charlie> 192.0.2.0 into multiple subnets, this is likely in practice
>     Charlie> to be confusing.
>
>   I suggest that you use 192.0.2.0 and 192.0.3.0.
>
>Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
>                                   192.0.0.0 - 192.0.127.255
>
>   I'm told that new numbers will be assigned for examples.
>   I would stay away from 10.* because in my experience, people think
>that it has something to with NAT, and get confused.

I fully agree with Michael here. In our interop testing, I have 
talked to more than one IPsec engineer who has thought that private 
addresses (such as 10. addresses) *have* to be behind a NAT box. 
Using the new, not-private-looking addresses would be less confusing.

--Paul Hoffman, Director
--VPN Consortium

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] Proposed changes to IKEv2 based on IESG comments
  - From: "Charlie Kaufman" <charliek@microsoft.com>
- Re: [Ipsec] Proposed changes to IKEv2 based on IESG comments
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: [Ipsec] Proposed changes to IKEv2 based on IESG comments
Next by Date: RE: [Ipsec] Proposed changes to IKEv2 based on IESG comments
Previous by thread: Re: [Ipsec] Proposed changes to IKEv2 based on IESG comments
Next by thread: RE: [Ipsec] Proposed changes to IKEv2 based on IESG comments
Index(es):
- Date
- Thread