Phillip Hallam-Baker writes: > IPSEC as defined in the standards is completely useless because it > doesn't work through NAT. And I remember the two Security ADs > chuckling that it was a feature not a bug.
(I assume you mean IPsec?) IPsec NAT Traversal using UDP encapsulation was standardized in 2005 for the original IKEv1, and the IKEv2 (standardied in 2005) had that built in from the beginning. And yes there is still AH that is explictly authenticating the IP headers which is not compatible with the NATs, as AH is trying to detect when someone modifies the IP header, and there it is feature not a bug. But if you do not want to verify the IP header then you can use ESP instead and that do provide NAT traversal. -- kivi...@iki.fi _______________________________________________ rfc-interest mailing list -- rfc-interest@rfc-editor.org To unsubscribe send an email to rfc-interest-le...@rfc-editor.org
