Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs ProblemStatement

Wed, 09 Nov 2011 07:59:09 -0800 

IPv6 definitely has advantages over IPv4, and everyone should switch to IPv6 
post haste.  But reality being the way it is, accommodating IPv4 is 
sometimes unavoidable.  (Please note that I have no intention of provoking a 
religious debate here.)

Mike
----- Original Message ----- 
From: Michael Richardson
To: ipsec@ietf.org
Sent: Wednesday, November 09, 2011 4:34 AM
Subject: Re: [IPsec] New -00 draft: Creating Large Scale Mesh VPNs 
ProblemStatement



>>>>> "Michael" == Michael Ko <mich...@huaweisymantec.com> writes:
    Michael> If the end system is behind a NAT, then there is no way for
    Michael> another end system to address a packet to this end system.

Of course, the machine behind the NAT has to initiate, but there are
numerous ways that this can happen.  In particular, given a service like
TURN, HIP, or IKEv2, and a hub to exchange the outside addresses, it is
entirely possible to arrange for things to work.

    Michael> Not only is opportunistic encryption impossible, but it is
    Michael> also impossible for any communication to be initiated to
    Michael> the end system.  It may be possible for this end system to

In fact, we've done it.
The problem is that is doesn't scale to the Internet, since the
overlapping RFC1918 address ranges mean that eventually, there is
another 192.168.1.0/24 network that you want to talk to, while you are
on one.

One can pick new addresses for inside the tunnel, but which ones?
We couldn't solve this problem in a way that scaled to the Internet: the
rise of ubiquitous NAT is the reason why RFC4332 died.

While these problems are still challenging in a walled garden, they are
much more tractable.  Or, given that it's all inside a tunnel, why not
just use IPv6 addresses on the inside of host to host tunnels?

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls 
[
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net 
architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device 
driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
               then sign the petition.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to