On 19 Jun 2003 06:59:56 -0700 Eric Rescorla <ekr(_at_)rtfm(_dot_)com> wrote:
And the fact that NAT breaks things that you DO want to run is a <?>
I'm not convinced that this is happening... if it is,
why isn't there a market reaction.
such maybe building. i have a client who for budgetary reasons are using an
inexpensive Ameritech DSL line. because of their location, they have
extremely limited broadband options.
Ameritech only gives them a /29, with no option for additional IPs
available. a third party vendor also requires IPSec for an application they
need, and the third party only supports pre-shared keys.
the needed three legged firewall, bridging two interfaces and using NAT on
the third one, is rather more complicated than i wanted to deploy for a
budget-constrained customer. neither i nor my client feel that there was a
much of a win here, but there weren't any other options, either.
i'll wager that increasing use of IPSec will start to create pressure. just
a hunch. but my customer can't create meaningful pressure when the phone
company is involved; it takes thousands of small customers screaming to get
an RBOC to take notice, maybe more. it could be a few years...
Given that there are workarounds for these, I find this explanation
pretty unlikely. More likely is that people's revealed preference
is that they don't actually want this stuff.
all too often, for small customers, the workarounds are expensive or unknown
to them. in the particular case i cited above, my customer would have spent
a lot less money on my time if they could have simply gotten a /27 from
Ameritech and dispensed with port NAT entirely, and they and i both know
that this was the preferred option.
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security