Re: IPSEC and NAT

[Robert Moskowitz <rgm3@chrysler.com>]

At 01:36 PM 8/19/97 -0700, Yan-Fa LI wrote:
>
>A couple of questions to wiser minds, but...

More likely war weary.

>Why do NAT in a central location ?  One of the things I really dislike
>about NAT is that sometimes it has to get involved at the application
>layer to fix certain protocols, e.g.  FTP.  This slows everything down
>if the IPSec/NAT has to snoop every packet looking for TCP port 21 and
>PORT strings.  Isn't the IPSec gateway complex enough without
>introducing NAT ?

Well you can run it on 2 systems, back to back...

>Why not push the problem out to the individual hosts ?  Have the hosts
>have virtual network interfaces that appear to be on the
>Internal/Virtual network, just like PPP.  This avoids many of the
>inherent problems of NAT.  I remember that Bellovin and Cheswick wrote a
>paper on just this idea some years ago.

Depends.  I am writing it up.  Having a &^*&)*& of a time formating it
nicely, I may punt so I can get it out tomorrow.

BTW, I cannot cover all possible hacks.  I am not covering things like
IP-in-IP tunnels from the router behind the IPsec gateway to the router in
front of the  host to get around some of the challenges.....



Robert Moskowitz
Chrysler Corporation
(810) 758-8212

---

References:

• Re: IPSEC and NAT
• From: Yan-Fa LI <yanfali@hpcc103.corp.hp.com>

---

• Prev by Date: Re:
• Next by Date: Re: SAs and SPIs
• Prev by thread: Re: IPSEC and NAT
• Next by thread: Re: IPSEC and NAT
• Index(es):
  • Main
  • Thread