[Cryptography] Two quick questions about IPsec AH
Christian Huitema
huitema at huitema.net
Fri Jan 7 01:03:22 EST 2022
On 1/6/2022 6:31 PM, Peter Gutmann wrote:
> Phillip Hallam-Baker<phill at hallambaker.com> writes:
>
>> I remember sitting in an IPSEC meeting at the Dallas IETF and hearing the AD
>> call this 'a feature'.
> Yup, I remember that too (not at the Dallas IETF but elsewhere). The thinking
> was "IPsec will be bigger than NAT so if we make sure it breaks NAT, NAT will
> go away".
>
> This anti-NAT crusade within the IETF persisted for a long, long time. Look
> at RFC 3424 for example, which invented a childish backronym "UNSAF" to refer
> to NAT-transversal mechanisms so it can talk about UNSAF clients and UNSAF
> servers throughout. Section 4 is particular amusing, describing the various
> levels of self-flagellation that any UNSAF mechanism is required by the IAB to
> subject itself to.
... which is why I had to write something like 19 iterations of the
Teredo draft in order to jump through the UNSAF loops. Standardizing
STUN also took a long time. Yes, that was silly. But the argument that I
heard then was not that "IPsec will be bigger than NAT". Yes, there was
the anti-NAT argument that IPv6 will make all that complexity go away,
but there was also the pro-NAT argument about NAT providing a firewall
service to users, so don't you dare break through that firewall, even if
it is required for video conferences or video games.
-- Christian Huitema
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20220106/6d2e3484/attachment.htm>
More information about the cryptography
mailing list