[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bidding down attach on NAT-T
On Tue, 2003-03-11 at 09:35, Derek Atkins wrote:
> Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx> writes:
> => I am not in favor of a MUST which has nothing to do with
> > interoperability, IMHO we should let the market do its job...
> > And I don't believe implementors who still have NAT-T support
> > in their plans like to become not compliant.
> If we're not going to make sure that IKEv2 works across NAT, then I
> think we should just go home now. Read after me: A road warrior has
> no choice over whether there is a NAT is between them and their home
> base. We should support this (EXTREMELY) common case.
Let me second this. The market *is* doing its job - *lots* of
remote worker products are moving to non-IPSEC encryption protocols.
Look at URoam, Neoteris, Netilla, Aventail, Openreach, SafeWeb,
Imperito, and lots of others (including us). And that's just the
"remote work" industry. IPSEC (as implemented) is a massive pain wrt
NAT. Even if users have a choice to remove their NAT (i.e. their home
Linksys router), they usually don't want to or can't.
I realize there are lots of other ways for IPSEC to be employed, but
remote network access is certainly a key area that is hurting because
of this. I strongly recommend a MUST for NAT-T.