Tony Hain wrote:
Merike Kaeo wrote: ...
ESP-Null came about when folks realized AH could not traverse NATs.
Thus the absolute reason why people should promote AH to kill off the 66nat nonsense. Just because you can't use it for IPv4 is no reason to avoid using it for IPv6 now and let its momentum suppress the 66CGN walled garden mindset.
That should make for a fascinating discussion. "You should use AH." "Why?" "So you can't use NAT." "Any other reason?" "... No." "Great. I'll get right on that." The delusion that network operators can successfully use unhelpful protocols and/or smoke and mirrors to force idealist network design on others needs to end. People use new protocols because they are better. If the benefit of moving to a new protocol does not outweigh the pain of moving to it, people don't use it. That's why the OSI protocols did not kill IP like they were supposed to in the 90s, it is why the largely forgotten mandated move from Windows to secure OSes (ie, Unix) for all government employees never happened, and it is why IPv6 is sputtering. If people want to use NAT, they are going to use NAT. They may stop using it if the widespread adoption of peer to peer protocols means they are missing out on things other people are doing. They are not going to stop using NAT to use a protocol maliciously designed to break it; they will just wait, patiently and nearly always successfully, for somebody to come out with a version that has no such malice. They are certainly not going to stop using NAT because somebody tells them they should use a security protocol that does not secure anything worth securing. BitTorrent is a better anti-NAT tool than AH ever will be. More carrot, less stick. -Dave