Dennis Glatting wrote:
>
> Leslie Daigle wrote:
> >
>
> > As an end-user, I can be as aware as I like about the security issues,
> > but if client software doesn't support security, and/or my ISP, services
> > don't support it, there's nothing I can do.
> >
>
> Huh? You have a choice: (a) obtain a client that does support
> security; and (b) get a new ISP. Both are plentiful.
Ah, no. In the real world of the Internet today, we have LOTS of folks
who get their Internet connectivity via cable modems and DSL. Many
vendors of such services, in order to help preserve IP address space,
give out only a single IP address to each customer. Since this is
incompatible with the way people use the Internet in many cases (e.g.
MANY homes have more than one computer), Network Address Translation is
used.
NAT is the reality of the Internet today. IPSec was developed for an
Internet that existed some years back, before address allocation
policies forced NAT to become commonplace. We now are in need of
security solutions which can survive such an environment. SSL is one
such example.
NAT presents a lot of problems to the Internet architecture. It's ugly
architecturally. We all know that. We can't make it go away by
complaining about it. We could fix IPSec to survive in the current
environment, or find ways to get more people interested in IPv6, do
both, or find alternate forms of security.
Getting a new ISP, however, is NOT necessarily an option. You'd argue I
give up a cable modem for a dialup ISP? I don't think so. Application
level security (SSL, TLS, SSH) work fine for my needs and transit the
equipment I must use to exist on a cable modem.
--
-----------------------------------------------------------------
Daniel Senie [EMAIL PROTECTED]
Amaranth Networks Inc. http://www.amaranth.com
