ietf
[Top] [All Lists]

Re: NAT Not Needed To Make Renumbering Easy

2009-11-09 22:12:34
On 8 Nov 2009, at 16:22, Phillip Hallam-Baker wrote:
There are two typical modes of deployment for IPSEC, the first is as a
lousy remote access protocol where the lack of NAT support makes it
far more effort than other solutions. SSL and SSH remote access just
works, IPSEC VPN may or may not work depending on the phase of the
moon. The third party clients are terrible, the built in support in
the O/S is unusable because it does not have the tweaks necessary to
get through the firewall. So we do not really have a standard for
IPSEC remote access.

There's at least one product making actual money in this space, Hamachi ( http://www.hamachi.cc/ ). Basically third-party-mediated IPSec-lite that goes over NAT. If you must use NAT, at least be aware of what can come back to your network due to NAT behaviour and internally initiated connections. I don't think NAT is providing the right kind of security here. But I must be careful not to start another flame war.

But anyway, IPv6/Teredo does the same thing, and better; Microsoft is working on going that extra mile with IP over HTTPS, too, so soon we'll have peer-to-peer VPNs that really do "Just work". In every case it is better than Hamachi's use of unassigned address space, and in no case better than fixing the trouble at the root, and shredding NAT.

But, if NAT's your thing ...

Cheers,
Sabahattin

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf