[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT

To: dave@tlogic.com
Subject: Re: IPSEC and NAT
From: Steven Bellovin <smb@research.att.com>
Date: Tue, 19 Aug 1997 07:36:45 -0400
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

	 Has there been any discussion on using IPSEC in conjuction
	 with Network Address Translation devices?  In particular, I'm
	 having problems using Sun's SKIP Source Release 1.0 on a host
	 behind an Ascend P-50 that's doing address translation.

	 Any suggestions would be appreciated.

The subject came up at the NAT BoF at the Munich IETF meeting last week.
Basically, you can't do IPSEC through a NAT box.  You have to terminate
the security association at the NAT box, and -- if you want -- create
a new security association from the box to the end system.

The point is simple:  IPSEC guards against tampering with the packet,
and NAT boxes by definition tinker with at least the addresses.

Follow-Ups:

Re: IPSEC and NAT

From: hsw@columbia.sparta.com (Howard Weiss)

Prev by Date: Re: SAs and SPIs
Next by Date: No Subject
Prev by thread: Re: IPSEC and NAT
Next by thread: Re: IPSEC and NAT
Index(es):
- Main
- Thread