[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT



At 06:27 AM 8/20/97 -0400, IETF wrote:
>
>After following this thread with great interest, it appears that IPSEC
>has marginalized NAT.  If this in indeed the case, this is 'not a good
>thing', IHMO.  NAT is an important 'fact of life' which need to be
>considered as a requirement which IPSEC should embrace.
>
>Could someone explain why NAT appears to be out of the IPSEC requirements
>radar screen?

Tim, this is one of your IPsec co-chairs speaking.

IPsec is about securing IP packets.

NAT is about fiddling with IP packet headers, and in some cases data content.

Thus they are going in opposite directions.

IPsec makes VPNs possible between two networks in ways not considered
before due to 'saftey' reasons.  This accentuates NAT issues.

IPsec is a communication 'pipe'.  A good designer will not find that IPsec
has 'marginalized' NAT, rather, it has increased the applications for NAT,
and defined places where NAT COULD be performed.

IPsec on end-points MAY eliminate much of the NAT concerns created by IPsec
on gateways, but I still need to walk around the building a dozen times
more before I can write that one up :)

NAT IS out of scope for the IPsec wg; not in our charter.  HOWEVER, being
good IETFers, we will spend the time to scope out the inpact of IPsec and
NAT and then see what work needs to be done.

Stay tune, I should get the 1st cut over to Rodney this morning and then we
will post the URL.  I will also send it on the ID for publishing, but that
will lag a bit.



Robert Moskowitz
Chrysler Corporation
(810) 758-8212


References: