[64626] in North American Network Operators' Group
Re: [arin-announce] IPv4 Address Space (fwd)
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Oct 29 12:25:16 2003
Date: Wed, 29 Oct 2003 09:17:01 -0800
From: Owen DeLong <owen@delong.com>
To: Avleen Vig <lists-nanog@silverwraith.com>,
Simon Lockhart <simon.lockhart@bbc.co.uk>
Cc: Dave Howe <DaveHowe@gmx.co.uk>,
"Email List: nanog" <nanog@nanog.org>
In-Reply-To: <20031029111420.GS792@silverwraith.com>
Errors-To: owner-nanog-outgoing@merit.edu
--==========258D9F8F0C8A185B1742==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
However, what is authenticated in the IPSEC datagrams is the addresses
of the IKE gateways (the routers). The fact that an entire netblock
exists within the tunnel is not especially relevant to the part
that suffers from NAT breakage.
Owen
--On Wednesday, October 29, 2003 3:14 AM -0800 Avleen Vig=20
<lists-nanog@silverwraith.com> wrote:
>
> On Wed, Oct 29, 2003 at 11:03:11AM +0000, Simon Lockhart wrote:
>> No.
>> Anything that relies on knowing which host it is talking to by looking =
at
>> the source address of packets breaks.
>> Plenty of UDP based apps work over NAT.
>
> Indeed, and IPSec tunnels are frequently done between routers on
> networks, rather than individual hosts on networks (at least in most
> multi-site enterprises i've seen).
--=20
If it wasn't signed, it probably didn't come from me.
--==========258D9F8F0C8A185B1742==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQE/n/YOn5zKWQ/iqj0RAibKAKCHkV4bV44+VdMlr74SM0C5GhA1oQCfcHGc
Wofcm2vRdeVVM8kBbLhKp28=
=hnTR
-----END PGP SIGNATURE-----
--==========258D9F8F0C8A185B1742==========--
