On 19 Jun 2003 06:59:56 -0700 Eric Rescorla <ekr@rtfm.com> wrote:
> Valdis.Kletnieks@vt.edu writes:
> > And the fact that NAT breaks things that you DO want to run is a <?>
> I'm not convinced that this is happening... if it is,
> why isn't there a market reaction.
such maybe building. i have a client who for budgetary reasons are using an
inexpensive Ameritech DSL line. because of their location, they have
extremely limited broadband options.
Ameritech only gives them a /29, with no option for additional IPs
available. a third party vendor also requires IPSec for an application they
need, and the third party only supports pre-shared keys.
the needed three legged firewall, bridging two interfaces and using NAT on
the third one, is rather more complicated than i wanted to deploy for a
budget-constrained customer. neither i nor my client feel that there was a
much of a win here, but there weren't any other options, either.
i'll wager that increasing use of IPSec will start to create pressure. just
a hunch. but my customer can't create meaningful pressure when the phone
company is involved; it takes thousands of small customers screaming to get
an RBOC to take notice, maybe more. it could be a few years...
> Given that there are workarounds for these, I find this explanation
> pretty unlikely. More likely is that people's revealed preference
> is that they don't actually want this stuff.
all too often, for small customers, the workarounds are expensive or unknown
to them. in the particular case i cited above, my customer would have spent
a lot less money on my time if they could have simply gotten a /27 from
Ameritech and dispensed with port NAT entirely, and they and i both know
that this was the preferred option.
richard
--
Richard Welty rwelty@averillpark.net
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security