[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bidding down attach on NAT-T

Just a reminder that there are many non-VPN uses for IKE2, such as RPSec's
interest to use IKE/IPSec to secure routing protocols. Such use does not require


Derek Atkins wrote:
Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx> writes:

 In your previous mail you wrote:

Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx> writes:

> How important is it for everyone to support NAT-T?
> => I don't believe a MUST support is a good idea because this makes no
> sense for an IPv6 implementation.

Can we agree on "MUST support NAT-T if you support IPv4"?

=> I am not in favor of a MUST which has nothing to do with
interoperability, IMHO we should let the market do its job...
And I don't believe implementors who still have NAT-T support
in their plans like to become not compliant.

HUH? What do you mean it has nothing to do with interoperability.
If implementations don't implement NAT-T then it wont work across a NAT.
I would certainly call that an interoperability problem, wouldn't you?

I also do not understand your last sentence. If they are implementing
NAT-T then they WOULD be compliant -- it's only people who DON'T
implement who would be compliant. Besides, this is only for implementors
who support IPv6. Your initial complaint about MUST was that it didn't
make sense for v6. I agree with that, but now you say it doesn't make
sense for v4, either?

If we're not going to make sure that IKEv2 works across NAT, then I
think we should just go home now. Read after me: A road warrior has
no choice over whether there is a NAT is between them and their home
base. We should support this (EXTREMELY) common case.



-derek, who has been stuck behind a NAT at TOO MANY conferences.