Re[2]: [arin-announce] IPv4 Address Space (fwd)

[Richard Welty <rwelty () averillpark net>]

On Wed, 29 Oct 2003 03:14:20 -0800 Avleen Vig <lists-nanog () silverwraith com> wrote:
> On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
> > No.
> > Anything that relies on knowing which host it is talking to by looking at
> > the source address of packets breaks.
> > Plenty of UDP based apps work over NAT.
 
> Indeed, and IPSec tunnels are frequently done between routers on
> networks, rather than individual hosts on networks (at least in most
> multi-site enterprises i've seen).

this is true, but incomplete. there are numerous deployment strategies
for IPSec, some of which work around NAT, some of which can be
coerced to work through NAT, and most of which don't work around
or through NAT.

businesses deploying IPSec often lack the flexibility to pick and
choose, especially in extranet deployments where two independent
business are deploying a tunnel with mismatched equipment and limited
choices. it's particularly bad when one end is a 800 lb gorilla with
all the high cards, forcing a particular set of parameters on the small
business on the other end. i've consulted for small businesses on the
wrong end of that stick, and it's no fun at all. you ought to try it some
time before you casually toss off a statement like the one quoted
above.

richard
-- 
Richard Welty                                         rwelty () averillpark net
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security