[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NAT
At 01:36 PM 8/19/97 -0700, Yan-Fa LI wrote:
>
>A couple of questions to wiser minds, but...
More likely war weary.
>Why do NAT in a central location ? One of the things I really dislike
>about NAT is that sometimes it has to get involved at the application
>layer to fix certain protocols, e.g. FTP. This slows everything down
>if the IPSec/NAT has to snoop every packet looking for TCP port 21 and
>PORT strings. Isn't the IPSec gateway complex enough without
>introducing NAT ?
Well you can run it on 2 systems, back to back...
>Why not push the problem out to the individual hosts ? Have the hosts
>have virtual network interfaces that appear to be on the
>Internal/Virtual network, just like PPP. This avoids many of the
>inherent problems of NAT. I remember that Bellovin and Cheswick wrote a
>paper on just this idea some years ago.
Depends. I am writing it up. Having a &^*&)*& of a time formating it
nicely, I may punt so I can get it out tomorrow.
BTW, I cannot cover all possible hacks. I am not covering things like
IP-in-IP tunnels from the router behind the IPsec gateway to the router in
front of the host to get around some of the challenges.....
Robert Moskowitz
Chrysler Corporation
(810) 758-8212
References: