Fred,
Are you suggesting changing the text below in some
manner? It seems that this point is still covered under
the works in some cases/does not work in all cases
language.
(By the way, it is my belief that IPsec NAT traversal UDP
encapsulation is used commonly even for tunnel mode VPN
connections, for various reasons. The primary reason is
that when there are multiple clients behind the same NAT,
the NAT is unable to determine where a particular return
packet should go to -- the SPIs are different in different
directions and their negotiation is encrypted so the NAT
can't peek into the packet to find out. You can guess, but
there is no guarantee that this always works.)
--Jari
Fred Baker wrote:
for the record, this is only true of transport mode. tunnel mode
works
just fine in IPv4, and I have every reason to believe that it will
continue to do so in IPv6. I use tunnel mode a lot, including at IETF
meetings.
On Jul 23, 2006, at 12:42 PM, Jari Arkko wrote:
4.2 -2 does not oversell IPsec, it simply states the real
situation.
I'm not going to hold your document based on the -03 text, but
I would still suggest the following edit:
While IPsec might be available in IPv4
implementations and works the same way, deployment in NAT
environments either breaks the protocol or requires complex
helper services with limited functionality or efficiency.
=>
While IPsec is commonly available in IPv4 implementations
and can support NATs, NAT support has limitations and
does not work in all situations. In addition, the use of IPsec
with NATs consumes extra bandwidth for UDP encapsulation
and keepalive overhead.