[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT

To: Dave Chouinard <dchouinard@ideal.jf.intel.com>
Subject: Re: IPSEC and NAT
From: Yan-Fa LI <yanfali@hpcc103.corp.hp.com>
Date: Tue, 19 Aug 1997 18:12:56 -0700
Cc: ipsec@tis.com
In-Reply-To: Your message of Tue, 19 Aug 1997 15:45:53 -0700. <3.0.3.32.19970819154553.00ad9410@ibeam.intel.com>
Sender: owner-ipsec@ex.tis.com

Dave Chouinard Wrote:

> At 03:22 PM 8/19/97 -0700, Karl Fox wrote:
> >Yan-Fa LI writes:
> >> Why not push the problem out to the individual hosts ?  Have the hosts
> >> have virtual network interfaces that appear to be on the
> >> Internal/Virtual network, just like PPP.  This avoids many of the
> >> inherent problems of NAT.  I remember that Bellovin and Cheswick wrote a
> >> paper on just this idea some years ago.
> >
> >Because NAT-in-a-box requires one currently available box, while doing
> >the virtual network interface on every desktop requires currently
> >unavailable software on every desktop.
> >-- 
> 
> 
> I believe the real reason is that, in many cases, NAT firewalls are
> configured to assign addresses "on the fly" as an internal host makes an
> outgoing connection.  Hence, the internal host is unaware that 1.) the NAT
> firewall exists at all and, 2.) that it has picked an IP address on the
> outside of the firewall to represent the internal host for the time of the
> connection.
> 
> It would seem for this virtual interface concept to work (like PPP), there
> would need to be a dynamic way to get the temporary IP address assigned to
> a given host, which would involve some protocol between the host and the
> firewall.  However, since the goal of the NAT firewall is to be transparent
> to the host, there is currently no defined way of doing such a thing.
> 

Very good point.  One of things I always punt on for this particular
part of my idea is that there isn't actually a protocol for an
encryption server device to negotiate this information with an
encryption client.  However, some workable protocols are around such as
LT2P and PPTP point to the right way of doing this. 

Sincerely,

   Yan

 ___________________________________________________________________ 
| Bio-Routing:               | Electronic Connectivity:             |
|                            |                                      |
| Yan-Fa LI (CNS PAR)        | Phone:    ( +1 ) - 415 424 3680      |
| Hewlett-Packard Company    | Fax:      ( +1 ) - 415 424 3632      |
| Mail Stop: 20CX            |                                      |
| 3000 Hanover Street,       | Telnet:   424 - 3680                 |
| Palo Alto, CA 94304        | Email:    yanfali@corp.hp.com        |
| USA                        |                                      |
|____________________________|______________________________________|
 My views do not necessarily represent those of the Hewlett Packard
 Company and should be taken with a large dose of salt or whatever
 passes for sodium in your neck of the woods/universe/continuum/etc...
 ___________________________________________________________________

Follow-Ups:

Re: IPSEC and NAT

From: Tim Bass (IETF) <ietf@linux.silkroad.com>

References:

Re: IPSEC and NAT

From: Dave Chouinard <dchouinard@ideal.jf.intel.com>

Prev by Date: Re:
Next by Date: Re: SKIP and NAT
Prev by thread: Re: IPSEC and NAT
Next by thread: Re: IPSEC and NAT
Index(es):
- Main
- Thread