RE: [arin-announce] IPv4 Address Space (fwd)

Mailman List Mirror (Read Only)
1

The fact that something can be worked around with enough
footwork really doesn't make okay.

Sure. Neither is it ok for VPN vendors to pretend as if NAT wasn't a part
of daily life and reality.

Consider the congestion related behavior of TCP inside TCP.
Consider the additional perpacket overhead of TCP encap, and
the effect of the additional fragmentation that will happen
since few networks will pass datagrams over 1500 bytes.

So? So fragmentation will happen. Look at all the existing DSL etc
infrastructures where you do have to live with MTU molestations. Frag
happens. So what. It still works nicely.

What are we gonna do next? Whine about broken PMTUD?

If networks operators had demanded IPv6 in the past far more
products today would be enabled and the 'upgrades are
expensive' argument would be moot. Simply passing the buck
to the customer is not a globally wise solution.

Sure.

Simply ignoring present reality isn't a globally wise solutions. Hence we
have broken VPN products incapable of dealing with NAT. Some are capable of
dealing with NAT just fine, and are readily available. Enough said.

VPN vendors incapable of dealing with NAT (which is really a quite simple
fix, totally independent of the NAT box) should be terminated with extreme
prejudice.

2

In a message written on Wed, Oct 29, 2003 at 09:35:13AM -0600, Kuhtz, Christian wrote:

Simply ignoring present reality isn't a globally wise solutions. Hence we
have broken VPN products incapable of dealing with NAT. Some are capable of
dealing with NAT just fine, and are readily available. Enough said.

The danger here isn't that it can be made to work, but that as
network operators we are driving application vendors to a very
dangerous lowest common denominator.

The VPN people have already figured out:

  A) The technology must run over a TCP connection that encodes no
     local endpoint information so it can pass through NAT.

  B) The technology must be able to run on TCP port 80 to bypass
     overly restrictive filters.

Other applications are doing the same. Many of the file sharing
services can already meet both of these points.

The end result is that in the near future it will be much harder,
or impossible for network operators to collect statistics based on
traffic type or to filter particular types of traffic without being
able to dig into the payload itself and see what type of traffic
is passing.

Some people see this as a problem, some do not.