Re: [arch-d] [Int-area] Is IPv6 End-to-End? R.I.P. Architecture? (Fwd: Errata #5933 for RFC8200)

Keith Moore <moore@xxxxxxxxxxxxxxxxxxxx> · Thu, 27 Feb 2020 21:16:44 -0500



    On 2/27/20 8:46 PM, Phillip Hallam-Baker wrote:
    
      
            You have
                been on this jihad against NAT for decades. In the real
                world, application designers have to accept NAT is
                simply a fact of life or their stuff doesn't work. 
          
        
    I'm not going to argue with you about NAT
        especially since we probably significantly agree about its
        immediate practical effects.   Where we differ is in our visions
        of what makes for a well-functioning Internet in the long
        term.   And I'm not going to argue with you about that either,
        at least not here.

      
            That
                IPSEC is a failure as a VPN standard is not an opinion,
                it is a fact. Every VPN vendor developed their own
                work-around for the AH debacle and as a result, the
                built in clients in Windows and Mac are rarely able to
                connect to an IPSEC VPN. Meanwhile, SSH just works.
          
        
    The greater failure of IPSEC, IMO, is that it
        assumes that a host makes sense as an authentication
        principal.    But that's water that has long since passed under
        the bridge.

    
    Keith