AH or ESP

Dave Israel davei at otd.com
Tue May 26 15:54:37 CDT 2009


Tony Hain wrote:
> Merike Kaeo wrote:
> ...
>   
>>   ESP-Null came about when folks
>> realized AH could not traverse NATs.
>>     
>
> Thus the absolute reason why people should promote AH to kill off the 66nat
> nonsense. Just because you can't use it for IPv4 is no reason to avoid using
> it for IPv6 now and let its momentum suppress the 66CGN walled garden
> mindset. 
>
>   

That should make for a fascinating discussion.

"You should use AH."
"Why?"
"So you can't use NAT."
"Any other reason?"
"... No."
"Great.  I'll get right on that."

The delusion that network operators can successfully use unhelpful
protocols and/or smoke and mirrors to force idealist network design on
others needs to end.  People use new protocols because they are better. 
If  the benefit of moving to a new protocol does not outweigh the pain
of moving to it, people don't use it.  That's why the OSI protocols did
not kill IP like they were supposed to in the 90s, it is why the largely
forgotten mandated move from Windows to secure OSes (ie, Unix) for all
government employees never happened, and it is why IPv6 is sputtering. 
If people want to use NAT, they are going to use NAT.  They may stop
using it if the widespread adoption of peer to peer protocols means they
are missing out on things other people are doing.  They are not going to
stop using NAT to use a protocol maliciously designed to break it; they
will just wait, patiently and nearly always successfully, for somebody
to come out with a version that has no such malice.  They are certainly
not going to stop using NAT because somebody tells them they should use
a security protocol that does not secure anything worth securing.

BitTorrent is a better anti-NAT tool than AH ever will be.  More carrot,
less stick.

-Dave




More information about the NANOG mailing list