[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: IPSEC and NAT



At 10:28 AM 8/19/97 -0400, Howard Weiss wrote:
>
>But isn't this the same problem as when a Security Gateway sits in
>front of a protected enclave on non-IPSEC aware hosts?  Is the SA
>between the end-systems or between the Gateway and an end-system (or
>between two Gateways)?  This also plays into one of the "IPSecond
>useful" items as spelled out by Steve Bellovin last Friday -
>dynamic discovery of IPSEC topologies.

My plan is to expect an SA pair for each host-to-host situation.  This is
valuable for each gateway to control policy.

>The answer may be that for a installation using IPSEC, it should not
>use an off-the-shelf NAT box but rather an IPSEC-aware security
>gateway (e.g., an IPSEC firewall that also does NAT).  

Exactly what I expect.


Robert Moskowitz
Chrysler Corporation
(810) 758-8212


References: