At 11:23 AM -0700 4/5/06, Michel Py wrote:
> John C Klensin wrote:
It is simply not possible to configure those devices
to support use of static public addresses for hosts
on the LAN side.
First, this is totally false, see below.
No, it is *partially* false, but unfortunately true in many cases.
Some SOHO devices allow to use the outside IP addresses on the
inside, and some don't.
More importantly, some that say they allow you to turn off the NAT
don't actually work. In the VPNC test lab, we have found some SOHO
systems (from more than one vendor, based on code from more than one
OEM) where turning off the NAT using the GUI didn't do anything: the
NAT was still in force. The vendors had to fix their software before
they could continue with our testing because we explicitly do not
test with NATs (except for our upcoming testing of IPsec
NAT-traversal interop).
The VPNC members were fairly happy to have discovered sooner rather
than later that their NAT configuration was not what they thought it
was. They were not happy to have to fix their code, of course, but it
is better to have to do so early in the shipping cycle before the
customer support calls come. On the other hand, one vendor who has a
series of boxes that cannot have their NATs turned off said that they
essentially never get complaints about it, even though the
always-NAT-no-matter-what "feature" is not listed on the box.
Assuming that the system documentation is correct in this area is not
a good idea, at least from the hands-on experience in our lab.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf