[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NAT
A couple of questions to wiser minds, but...
Why do NAT in a central location ? One of the things I really dislike
about NAT is that sometimes it has to get involved at the application
layer to fix certain protocols, e.g. FTP. This slows everything down
if the IPSec/NAT has to snoop every packet looking for TCP port 21 and
PORT strings. Isn't the IPSec gateway complex enough without
introducing NAT ?
Why not push the problem out to the individual hosts ? Have the hosts
have virtual network interfaces that appear to be on the
Internal/Virtual network, just like PPP. This avoids many of the
inherent problems of NAT. I remember that Bellovin and Cheswick wrote a
paper on just this idea some years ago.
Just my $0.02
Y
___________________________________________________________________
| Bio-Routing: | Electronic Connectivity: |
| | |
| Yan-Fa LI (TIS TR) | Phone: ( +1 ) - 415 424 3680 |
| Hewlett-Packard Company | Fax: ( +1 ) - 415 424 3632 |
| Mail Stop: 20CX | |
| 3000 Hanover Street, | Telnet: 424 - 3680 |
| Palo Alto, CA 94304 | Email: yanfali@corp.hp.com |
| USA | |
|____________________________|______________________________________|
Follow-Ups: