On 10/24/2012 11:25 PM, Arifumi Matsumoto wrote:
Hi,
Now - if we want to make this in a routed network where the VPN tunnel is
not terminated on the device itself, then RFC 3484/RFC6724 are not
sufficient.
That was, in fact, what I was thinking about.
Even in such a case, you can configure manually the policy table on each host
to meet the needs of such source address selection. This mechanism is
included in
both RFC 3484 and RFC 6724.
Moreover, the policy table auto-configuration protocol is now at WGLC state
in 6man.
My only point is that until such an auto-configuration protocol is widely
deployed, there is a real risk that NPT will be deployed as the stopgap that
never goes away. History is on the side of network-based fixes when hosts
can't do the right thing. This working group can snarl all it likes about such
heresies, but it won't alter the outcome if there's a perceived need.
Mike
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
