[Openswan dev] Qustion about Nat-t

John Denker jsd at av8n.com
Sun Mar 1 05:53:34 EST 2009

On Thu, 26 Feb 2009, I wrote:

>> Just as a general reminder:  Anybody who is considering using
>> NAT traversal should seriously consider *not* using NAT traversal.

>> The alternative is to use IPv6

On 02/27/2009 12:34 PM, Paul Wouters replied:

> People have no choice now.

I disagree; see below.

> I'll toast with you at the next IETF Scotch bof "To the universal
> deployment of IPv6".

That is at least two leaps removed from being factual and

 *) First of all, "universality" has got nothing to do with
  this discussion.  If I want to make an IPsec connection
  from point A to point B over IP -- be it IPv4 or IPv6 --
  all I need is raw IP connectivity from A to B.  I don't
  need to consider all possible A in the universe, or all 
  possible B in the universe, just the particular A and B
  that I actually care about.

  We don't even have universal IPv4 connectivity ... but
  still, people manage to send IPsec over IPv4.  Universality
  is a red herring.

  I'm not talking about abstractions.  I'm talking about using
  IPv6 if and when it solves actual practical problems.  Like 
  in connection with IPsec.

 *) Anyone who read the reference I cited would know that the
  main IPv6 features work just fine when IPv6 is tunneled on
  top of IPv4.  This includes IPsec over IPv6 over IPv4.


  In my experience, getting SIT packets to arrive at the right
  place has always been easier than getting IKE and ESPinUDP 
  packets to arrive at the right place.

 *) NAT is a kludgey way of extending the IPv4 address space.
  IPv6 is an incomparably better way of extending the IPv4
  address space.

  The transition from NAT to IPv6 doesn't happen for free,
  but often the cost is small compared to the benefits.
  Simplifying the IPsec situation is only one among many

 *) A basic principle of engineering is to aim for the moving
  target.  NAT is the way of the past.  The future will be
  more and more IPv6.

>> There are of course situations where you don't have enough control
>> over the situation to implement IPv6
> Like 90% of home users who are using NAT-T.

Really?  Do you actually know of any home gateways that will
  a) forward IKE and ESPinUDP, but
  b) not properly terminate SIT tunnels, and
  c) not even forward SIT packets?

If you know of any such, I'd like to hear about it.  I don't
actually know of any.  I'd be astonished if they made up 90% 
of the market.  I'd be mildly surprised if they covered even 
10% of the Openswan users.

More information about the Dev mailing list