Re: [arin-announce] IPv4 Address Space (fwd)
And there are workarounds for all those. NAT-T for ipsec is really intended for endnodes only - which is fine if you are doing the NAT yourself (typical medium/large company scenario - internal users shouldn't be using IPSEC, that is done at the gateway/firewall) but sucks if your cable or xDSL ISP decides NAT is the way to go. (usually followed by a "well, you shouldn't need two or more nodes there/want to run a server/care about SIP, a business should pay for a DEDICATED link" for a little three-man sales office in the backend of nowhere) But regardless, all the workarounds are doing is trying to patch the fact
Kuhtz, Christian wrote: that UDP dependent connections are not NAT friendly by special-casing (or app-layer proxying) particular instances of UDP in a way that doesn't drop dead TOO often....
On Wed, 29 Oct 2003 15:10:18 GMT, Dave Howe <DaveHowe@gmx.co.uk> said:
but sucks if your cable or xDSL ISP decides NAT is the way to go. (usually followed by a "well, you shouldn't need two or more nodes there/want to run a server/care about SIP, a business should pay for a DEDICATED link" for a little three-man sales office in the backend of nowhere)
Or the road warrior case. If you send 3 engineers to Detroit and they end up at the wrong hotel.....
But regardless, all the workarounds are doing is trying to patch the fact that UDP dependent connections are not NAT friendly by special-casing (or app-layer proxying) particular instances of UDP in a way that doesn't drop dead TOO often....
People are continually managing to make bears dance, and are surprised when said bears decide it's time to voice their opinions on the matter....
participants (2)
-
Dave Howe
-
Valdis.Kletnieks@vt.edu