Summary

• NAT compatibility critical to key uses of IPSEC

• Incompatibilities are substantial and intricate

• Proposed “solutions” are often incomplete, unreliable, undeployable or create new security vulnerabilities

  • Deployability requires minimal or no changes to NATs
  • Unreliable “solutions” are more costly than no solution at all
  • Solution should not create new security vulnerabilities
  • Running code is required to prove whether a solution really works or not

• Goal is to find a solution that can be deployed sooner than IPv6

  • Worst thing is a “quick solution” that isn’t either quick or a solution

• First step: characterize the problem and develop requirements for a solution

• Second step: evaluate proposals against the requirements

Previous slide

Back to first slide

View graphic version