Re: Re[2]: IPSEC and NAT

[bmanning@isi.edu]

> >     One REALLY STUPID way of doing it is to share the private/public keys 
> >     between the host and the NAT (I DO NOT RECCOMEND YOU TO DO THIS AT 
> >     HOME). An alternative is for the NAT to run in tunnel mode on behalf 
> >     of the initiator (but this assumes that the initiator trusts the NAT, 
> >     which it probably does not).
> 
> I really got to do some writing today :)  But there are a couple of items I
> will address here.  First off, until IPsec is deployed at hosts and we come
> to agreement on 'chaining' and/or 'nesting' IPsec tunnels and/or
> transports, systems behind gateways MUST trust the gateways and gateways
> MUST trust gateways in proxying these activities.
> 
> It is probably badness to get into a mode of placing host certificates on
> gateways.  You might as well only use IP addresses for now and work on
> further deploying IPsec asap.
> 
> 
> Robert Moskowitz
> Chrysler Corporation
> (810) 758-8212


	Er, what happens when the NAT gets its IP addresses dynamically?
	Or worse, when the system is untethered and does the very interesting
	multihop thing in conjunction with dynamic renumbering? 
	
	More tersely, how to maintain the IP/IP secure association when the
	more persistant internet identifier is the domain name?....

	(this is not specifically germain to the list discussion, so please
	feel free to ignore these comments for now.)
 
--bill

---

References:

• Re: Re[2]: IPSEC and NAT
• From: Robert Moskowitz <rgm3@chrysler.com>

---

• Prev by Date: Re: Re[2]: IPSEC and NAT
• Next by Date: Re: SAs and SPIs
• Prev by thread: Re: Re[2]: IPSEC and NAT
• Next by thread: Re: Re[2]: IPSEC and NAT
• Index(es):
  • Main
  • Thread