On Wed, 29 Oct 2003 03:14:20 -0800 Avleen Vig <lists-nanog@silverwraith.com> wrote:
On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
No. Anything that relies on knowing which host it is talking to by looking at the source address of packets breaks. Plenty of UDP based apps work over NAT.
Indeed, and IPSec tunnels are frequently done between routers on networks, rather than individual hosts on networks (at least in most multi-site enterprises i've seen).
this is true, but incomplete. there are numerous deployment strategies for IPSec, some of which work around NAT, some of which can be coerced to work through NAT, and most of which don't work around or through NAT. businesses deploying IPSec often lack the flexibility to pick and choose, especially in extranet deployments where two independent business are deploying a tunnel with mismatched equipment and limited choices. it's particularly bad when one end is a 800 lb gorilla with all the high cards, forcing a particular set of parameters on the small business on the other end. i've consulted for small businesses on the wrong end of that stick, and it's no fun at all. you ought to try it some time before you casually toss off a statement like the one quoted above. richard -- Richard Welty rwelty@averillpark.net Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security