[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: bidding down attach on NAT-T



On Tue, 2003-03-11 at 09:35, Derek Atkins wrote:
> Francis Dupont <Francis.Dupont@xxxxxxxxxxxxxxxx> writes:
> => I am not in favor of a MUST which has nothing to do with
> > interoperability, IMHO we should let the market do its job...
> > And I don't believe implementors who still have NAT-T support
> > in their plans like to become not compliant.
> 
> If we're not going to make sure that IKEv2 works across NAT, then I
> think we should just go home now.  Read after me: A road warrior has
> no choice over whether there is a NAT is between them and their home
> base.  We should support this (EXTREMELY) common case.

Let me second this.  The market *is* doing its job - *lots* of 
remote worker products are moving to non-IPSEC encryption protocols.
Look at URoam, Neoteris, Netilla, Aventail, Openreach, SafeWeb, 
Imperito, and lots of others (including us).  And that's just the 
"remote work" industry.  IPSEC (as implemented) is a massive pain wrt 
NAT.  Even if users have a choice to remove their NAT (i.e. their home
Linksys router), they usually don't want to or can't.

I realize there are lots of other ways for IPSEC to be employed, but
remote network access is certainly a key area that is hurting because
of this.  I strongly recommend a MUST for NAT-T.

 -sd