Negative. We don't want to tunnel an IPSec tunnel mode connection inside of another tunnel UDP packet. This is only done to make it work through NAT, but is obviously less efficient. In a pure IPv6 world where every end point is uniquely addressed we may even be able to change over to using pure transport mode IPSec, since no tunnelling would be required to make it work at all. Lets not waste anymore time making protocols works through NAT. Lets start making them work with IPv6. -----Original Message----- From: Don Stokes [mailto:don(a)daedalus.co.nz] Sent: Sunday, 18 February 2007 4:28 p.m. To: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] [Fwd: [pacnog] IPv4 exhaustion discussionsin AsiaPacific region] Jonny Martin wrote:
So perhaps we reached a point where it should be considered bad form for one to design protocols that are not NAT friendly then?
Ugh. Like damn near every major VPN protocol. I notice though that IPSEC now has a UDP mode, which will work through any sensible NAT. Both ESP and AH needed to die ...