In a message written on Wed, Oct 29, 2003 at 09:35:13AM -0600, Kuhtz, Christian wrote: > Simply ignoring present reality isn't a globally wise solutions. Hence we > have broken VPN products incapable of dealing with NAT. Some are capable of > dealing with NAT just fine, and are readily available. Enough said.
The danger here isn't that it can be made to work, but that as
network operators we are driving application vendors to a very
dangerous lowest common denominator.
The VPN people have already figured out:
A) The technology must run over a TCP connection that encodes no
local endpoint information so it can pass through NAT.
B) The technology must be able to run on TCP port 80 to bypass
overly restrictive filters.
Other applications are doing the same. Many of the file sharing
services can already meet both of these points.
The end result is that in the near future it will be much harder,
or impossible for network operators to collect statistics based on
traffic type or to filter particular types of traffic without being
able to dig into the payload itself and see what type of traffic
is passing.
Some people see this as a problem, some do not.
--
Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - [EMAIL PROTECTED], www.tmbg.org
pgp00000.pgp
Description: PGP signature
