[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT



	 
	 After following this thread with great interest, it appears that IPSEC
	 has marginalized NAT.  If this in indeed the case, this is 'not a good
	 thing', IHMO.  NAT is an important 'fact of life' which need to be
	 considered as a requirement which IPSEC should embrace.
	 
	 Could someone explain why NAT appears to be out of the IPSEC
	 requirements radar screen?

Because they're inherently incompatible.  NAT is not just incompatible
with IPSEC, but with many other forms of cryptography as well, such as
SSL and GSS-API (how can you scan an FTP session for PORT commands if
it's encrypted?) and DNSSEC (how can you diddle addresses of a signed
record?).

That said, one can (as noted) terminate the IPSEC session at the NAT box,
just as one can terminate IPSEC at other forms of firewall.  But there's
not really any other way of getting around the basic contradiction -- NAT
boxes are all about inspecting and changing packets, and cryptography is
all about protecting packets from inspection and modification.