North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [arin-announce] IPv4 Address Space (fwd)
Kuhtz, Christian wrote: > And there are workarounds for all those. NAT-T for ipsec is really intended for endnodes only - which is fine if you are doing the NAT yourself (typical medium/large company scenario - internal users shouldn't be using IPSEC, that is done at the gateway/firewall) but sucks if your cable or xDSL ISP decides NAT is the way to go. (usually followed by a "well, you shouldn't need two or more nodes there/want to run a server/care about SIP, a business should pay for a DEDICATED link" for a little three-man sales office in the backend of nowhere) But regardless, all the workarounds are doing is trying to patch the fact that UDP dependent connections are not NAT friendly by special-casing (or app-layer proxying) particular instances of UDP in a way that doesn't drop dead TOO often....
|