Re: IPSEC and NAT

[Yan-Fa LI <yanfali@hpcc103.corp.hp.com>]

A couple of questions to wiser minds, but...

Why do NAT in a central location ?  One of the things I really dislike
about NAT is that sometimes it has to get involved at the application
layer to fix certain protocols, e.g.  FTP.  This slows everything down
if the IPSec/NAT has to snoop every packet looking for TCP port 21 and
PORT strings.  Isn't the IPSec gateway complex enough without
introducing NAT ?

Why not push the problem out to the individual hosts ?  Have the hosts
have virtual network interfaces that appear to be on the
Internal/Virtual network, just like PPP.  This avoids many of the
inherent problems of NAT.  I remember that Bellovin and Cheswick wrote a
paper on just this idea some years ago.

Just my $0.02

Y

 ___________________________________________________________________ 
| Bio-Routing:               | Electronic Connectivity:             |
|                            |                                      |
| Yan-Fa LI (TIS TR)         | Phone:    ( +1 ) - 415 424 3680      |
| Hewlett-Packard Company    | Fax:      ( +1 ) - 415 424 3632      |
| Mail Stop: 20CX            |                                      |
| 3000 Hanover Street,       | Telnet:   424 - 3680                 |
| Palo Alto, CA 94304        | Email:    yanfali@corp.hp.com        |
| USA                        |                                      |
|____________________________|______________________________________|

---

Follow-Ups:

• Re: IPSEC and NAT
• From: Robert Moskowitz <rgm3@chrysler.com>
• Re: IPSEC and NAT
• From: Karl Fox <karl@Ascend.COM>

---

• Prev by Date: Re: replay revisited
• Next by Date: Re:
• Prev by thread: Re: Re[2]: IPSEC and NAT
• Next by thread: Re: IPSEC and NAT
• Index(es):
  • Main
  • Thread