On Oct 26, 2010, at 14:18, Fernando Gont wrote:
Sorry, but I don't follow. If the problem with widespread deployment of
IPsec was NAT traversal, why didn't we see widespread IPsec deployment
(for the general case) e.g. once RFC 3948 was published?
RFC 3498 really only made a variant of tunnel-mode ESP traverse NAT by
encapsulating it in UDP, and the result was predictable: widespread deployment
of tunnel-mode ESP for VPN applications where the client is behind NAT and the
access concentrator is at a globally routed and reachable address.
We still don't have much transport IPsec ESP (much less AH) in the public IPv4
Internet, and the main reason is the ubiquitous deployment of IPv4/NAPT for
address amplification purposes, especially at residential gateways.
And: Do you expect IPsec deplyment to increase dramatically as IPv6 gets
deployed?
If you drop the need for NAPT at residential gateways, then I predict you will
see a lot more IPsec on the public Internet.
Put another way, if you're looking for an effective way to discourage the use
of IPsec over IPv6, then find a way to force residential gateways to require
IPv6/NAPT functions, e.g. to provide IPv6 address amplification. There are
probably other ways-- *better* ways-- but that's the historically proven way of
doing it.
--
james woodyatt <jhw(_at_)apple(_dot_)com>
member of technical staff, communications engineering
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf