[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT



At 03:22 PM 8/19/97 -0700, Karl Fox wrote:
>Yan-Fa LI writes:
>> Why not push the problem out to the individual hosts ?  Have the hosts
>> have virtual network interfaces that appear to be on the
>> Internal/Virtual network, just like PPP.  This avoids many of the
>> inherent problems of NAT.  I remember that Bellovin and Cheswick wrote a
>> paper on just this idea some years ago.
>
>Because NAT-in-a-box requires one currently available box, while doing
>the virtual network interface on every desktop requires currently
>unavailable software on every desktop.
>-- 


I believe the real reason is that, in many cases, NAT firewalls are
configured to assign addresses "on the fly" as an internal host makes an
outgoing connection.  Hence, the internal host is unaware that 1.) the NAT
firewall exists at all and, 2.) that it has picked an IP address on the
outside of the firewall to represent the internal host for the time of the
connection.

It would seem for this virtual interface concept to work (like PPP), there
would need to be a dynamic way to get the temporary IP address assigned to
a given host, which would involve some protocol between the host and the
firewall.  However, since the goal of the NAT firewall is to be transparent
to the host, there is currently no defined way of doing such a thing.




===========================================================================
Dave Chouinard            (Please note that all opinions expressed here are 
Intel Architecture Labs      mine and are not necessarily shared by Intel)
dchouinard@ibeam.intel.com      
(503)264-7481			   *** Public key available by request ***
Key fingerprint =88 35 F6 22 71 54 5E 98  0B D7 12 B6 3C 73 43 4E


Follow-Ups: References: