[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Ipsec] Proposed changes to IKEv2 based on IESG comments
Great. That sounds like it will make everyone happy. I'll make
that change.
--Charlie
-----Original Message-----
From: Paul Hoffman / VPNC [mailto:paul.hoffman@vpnc.org]
Sent: Tuesday, July 20, 2004 8:20 AM
To: Michael Richardson; Charlie Kaufman
Cc: ipsec@ietf.org
Subject: Re: [Ipsec] Proposed changes to IKEv2 based on IESG comments
At 10:21 AM -0400 7/20/04, Michael Richardson wrote:
> >>>>> "Charlie" == Charlie Kaufman <charliek@microsoft.com> writes:
> Charlie> ********MOST LIKELY TO BE CONTROVERSIAL********
> >> 2.19: Use IP addresses from the sample range (RFC 3330) instead
> >> of RFC 1918 addresses.
>
> Charlie> RFC3330 reserves addresses of the form 192.0.2.0/24 for
> Charlie> examples in documentation. Unfortunately, negotiation of
> Charlie> traffic selectors requires specification of two
> Charlie> subnets. They are currently taken from 10.*, which is
> Charlie> reserved for local use. While in theory, on might divide
> Charlie> 192.0.2.0 into multiple subnets, this is likely in
practice
> Charlie> to be confusing.
>
> I suggest that you use 192.0.2.0 and 192.0.3.0.
>
>Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
> 192.0.0.0 - 192.0.127.255
>
> I'm told that new numbers will be assigned for examples.
> I would stay away from 10.* because in my experience, people think
>that it has something to with NAT, and get confused.
I fully agree with Michael here. In our interop testing, I have
talked to more than one IPsec engineer who has thought that private
addresses (such as 10. addresses) *have* to be behind a NAT box.
Using the new, not-private-looking addresses would be less confusing.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec