ietf
[Top] [All Lists]

Re: recommendation against publication of draft-cerpa-necp-02.txt

2000-04-07 14:30:04
   Date: Fri, 07 Apr 2000 15:00:22 -0400
   From: Daniel Senie <dts(_at_)senie(_dot_)com>

   Ah, no. In the real world of the Internet today, we have LOTS of folks
   who get their Internet connectivity via cable modems and DSL. Many
   vendors of such services, in order to help preserve IP address space,
   give out only a single IP address to each customer. Since this is
   incompatible with the way people use the Internet in many cases (e.g.
   MANY homes have more than one computer), Network Address Translation is
   used.

   NAT is the reality of the Internet today. IPSec was developed for an
   Internet that existed some years back, before address allocation
   policies forced NAT to become commonplace. We now are in need of
   security solutions which can survive such an environment. SSL is one
   such example.

   NAT presents a lot of problems to the Internet architecture. It's ugly
   architecturally. We all know that. We can't make it go away by
   complaining about it. We could fix IPSec to survive in the current
   environment, or find ways to get more people interested in IPv6, do
   both, or find alternate forms of security.

Actually, there are other solutions to this problem --- in fact, one in
which IPSEC plays a starring role.  I've been hearing more and more
people who are using IPSEC to tunnel from their cable modem to some site
which has (a) plenty of addresses, and (b) is well connected to the
internet.  They can thus get a /28, /27, or sometimes even a /24 block
of addresses, even though their cable modem or DSL provider either won't
provide that service, or would force the customer to pay through the
nose for the block of the addresses.  One advantage of using IPSEC to
solve this problem is that the ISP can't peer inside the packets to
figure out this is what's going on, so won't know that the customer is
using mutliple computers through what they thought was the single
computer rate.

The downside is that your packets may take a longer than normal routing
to get to their destination, but that's happening already even without
this hack.  For example, until I changed my DSL provider out of sheer
disgust and appallingly bad service, my packets from my home in Medford,
Massachusetts, to MIT in Cambridge, Massachusetts were going by way of
Washington, D.C. and MAE-East.

                                                        - Ted



<Prev in Thread] Current Thread [Next in Thread>