[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: IPSEC and NAT

To: pcalhoun@usr.com, smb@research.att.com (Steven Bellovin), hsw@columbia.sparta.com (Howard Weiss)
Subject: Re: Re[2]: IPSEC and NAT
From: Robert Moskowitz <rgm3@chrysler.com>
Date: Tue, 19 Aug 1997 10:24:24 -0400
Cc: dave@tlogic.com, ipsec@tis.com
In-Reply-To: <3F9AB5E0.3000@usr.com>
Reply-To: rgm3@chrysler.com
Sender: owner-ipsec@ex.tis.com

At 08:51 AM 8/19/97 -0500, pcalhoun@usr.com wrote:
>     
>     One REALLY STUPID way of doing it is to share the private/public keys 
>     between the host and the NAT (I DO NOT RECCOMEND YOU TO DO THIS AT 
>     HOME). An alternative is for the NAT to run in tunnel mode on behalf 
>     of the initiator (but this assumes that the initiator trusts the NAT, 
>     which it probably does not).

I really got to do some writing today :)  But there are a couple of items I
will address here.  First off, until IPsec is deployed at hosts and we come
to agreement on 'chaining' and/or 'nesting' IPsec tunnels and/or
transports, systems behind gateways MUST trust the gateways and gateways
MUST trust gateways in proxying these activities.

It is probably badness to get into a mode of placing host certificates on
gateways.  You might as well only use IP addresses for now and work on
further deploying IPsec asap.

Robert Moskowitz
Chrysler Corporation
(810) 758-8212

Follow-Ups:

Re: Re[2]: IPSEC and NAT

From: bmanning@isi.edu

References:

Re[2]: IPSEC and NAT

From: pcalhoun@usr.com

Prev by Date: Re: IPSEC and NAT
Next by Date: Re: Re[2]: IPSEC and NAT
Prev by thread: Re[2]: IPSEC and NAT
Next by thread: Re: Re[2]: IPSEC and NAT
Index(es):
- Main
- Thread