[Openswan dev] Qustion about Nat-t
jsd at av8n.com
Sun Mar 1 05:53:34 EST 2009
On Thu, 26 Feb 2009, I wrote:
>> Just as a general reminder: Anybody who is considering using
>> NAT traversal should seriously consider *not* using NAT traversal.
>> The alternative is to use IPv6
On 02/27/2009 12:34 PM, Paul Wouters replied:
> People have no choice now.
I disagree; see below.
> I'll toast with you at the next IETF Scotch bof "To the universal
> deployment of IPv6".
That is at least two leaps removed from being factual and
*) First of all, "universality" has got nothing to do with
this discussion. If I want to make an IPsec connection
from point A to point B over IP -- be it IPv4 or IPv6 --
all I need is raw IP connectivity from A to B. I don't
need to consider all possible A in the universe, or all
possible B in the universe, just the particular A and B
that I actually care about.
We don't even have universal IPv4 connectivity ... but
still, people manage to send IPsec over IPv4. Universality
is a red herring.
I'm not talking about abstractions. I'm talking about using
IPv6 if and when it solves actual practical problems. Like
in connection with IPsec.
*) Anyone who read the reference I cited would know that the
main IPv6 features work just fine when IPv6 is tunneled on
top of IPv4. This includes IPsec over IPv6 over IPv4.
In my experience, getting SIT packets to arrive at the right
place has always been easier than getting IKE and ESPinUDP
packets to arrive at the right place.
*) NAT is a kludgey way of extending the IPv4 address space.
IPv6 is an incomparably better way of extending the IPv4
The transition from NAT to IPv6 doesn't happen for free,
but often the cost is small compared to the benefits.
Simplifying the IPsec situation is only one among many
*) A basic principle of engineering is to aim for the moving
target. NAT is the way of the past. The future will be
more and more IPv6.
>> There are of course situations where you don't have enough control
>> over the situation to implement IPv6
> Like 90% of home users who are using NAT-T.
Really? Do you actually know of any home gateways that will
a) forward IKE and ESPinUDP, but
b) not properly terminate SIT tunnels, and
c) not even forward SIT packets?
If you know of any such, I'd like to hear about it. I don't
actually know of any. I'd be astonished if they made up 90%
of the market. I'd be mildly surprised if they covered even
10% of the Openswan users.
More information about the Dev