Re: Resolution of my discuss comments for draft-ietf-v6ops-nap-02.txt

[Jari Arkko <jari.arkko@piuha.net>]

Fred,

Are you suggesting changing the text below in some
manner? It seems that this point is still covered under
the works in some cases/does not work in all cases
language.

(By the way, it is my belief that IPsec NAT traversal UDP
encapsulation is used commonly even for tunnel mode VPN
connections, for various reasons. The primary reason is
that when there are multiple clients behind the same NAT,
the NAT is unable to determine where a particular return
packet should go to -- the SPIs are different in different
directions and their negotiation is encrypted so the NAT
can't peek into the packet to find out. You can guess, but
there is no guarantee that this always works.)

--Jari

Fred Baker wrote:

> for the record, this is only true of transport mode. tunnel mode works
> just fine in IPv4, and I have every reason to believe that it will
> continue to do so in IPv6. I use tunnel mode a lot, including at IETF
> meetings.
>
> On Jul 23, 2006, at 12:42 PM, Jari Arkko wrote:
>
>>> 4.2 -2 does not oversell IPsec, it simply states the real situation.
>>>
>>>
>> I'm not going to hold your document based on the -03 text, but
>> I would still suggest the following edit:
>>
>> While IPsec might be available in IPv4
>> implementations and works the same way, deployment in NAT
>> environments either breaks the protocol or requires complex
>> helper services with limited functionality or efficiency.
>> =>
>> While IPsec is commonly available in IPv4 implementations
>> and can support NATs, NAT support has limitations and
>> does not work in all situations. In addition, the use of IPsec
>> with NATs consumes extra bandwidth for UDP encapsulation
>> and keepalive overhead.
>
>
>