[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Re[2]: IPSEC and NAT
At 10:28 AM 8/19/97 -0400, Howard Weiss wrote:
>
>But isn't this the same problem as when a Security Gateway sits in
>front of a protected enclave on non-IPSEC aware hosts? Is the SA
>between the end-systems or between the Gateway and an end-system (or
>between two Gateways)? This also plays into one of the "IPSecond
>useful" items as spelled out by Steve Bellovin last Friday -
>dynamic discovery of IPSEC topologies.
My plan is to expect an SA pair for each host-to-host situation. This is
valuable for each gateway to control policy.
>The answer may be that for a installation using IPSEC, it should not
>use an off-the-shelf NAT box but rather an IPSEC-aware security
>gateway (e.g., an IPSEC firewall that also does NAT).
Exactly what I expect.
Robert Moskowitz
Chrysler Corporation
(810) 758-8212
References: