Re: IPSEC and NAT

[Rodney Thayer <rodney@sabletech.com>]

>From an implementor's view, NAT and IPsec are solving different problems.
I don't feel like IPsec is ignoring NAT, but the nature of the two  does
mean it's more than a trivial task to apply a combination of the
technologies.  I consider it a *feature* that we have IPsec (relatively)
stable enough that we all have time to think about NAT.  The development of
technically sound and cryptographically safe combinations of NAT and IPsec
will take some work, and is an opportunity for the vendor community and the
standards community to solve some interesting problems.

Trust me, I'm not ignoring NAT.  I have customers bugging me to work on it...

>To: rgm3@chrysler.com
>cc: Tim Bass (IETF) <ietf@linux.silkroad.com>, ipsec@tis.com
>Subject: Re: IPSEC and NAT 
>Date: Wed, 20 Aug 1997 07:22:49 -0400
>From: Steven Bellovin <smb@research.att.com>
>Sender: owner-ipsec@ex.tis.com
>
>	 NAT IS out of scope for the IPsec wg; not in our charter.
>	 HOWEVER, being good IETFers, we will spend the time to scope
>	 out the inpact of IPsec and NAT and then see what work needs
>	 to be done.
>
>For folks who weren't in Munich -- I spoke at the ipsec slot on remaining
>work items.  My recommendation is that a new group (which I've dubbed
>ipsecond) be formed to take over some of the complex issues.  One that
>I explicitly listed was complex topology discovery, which most definitely
>does include NAT boxes.  For now, though, NAT boxes are just another form
>of firewall, and you'll either have to deploy a bump-in-the-wire ipsec
>box outboard of your NAT, or lean on your vendor to integrate the two.
>
>

---

• Prev by Date: comments on replay processing
• Next by Date: Re: anti-replay notification
• Prev by thread: Re: IPSEC and NAT
• Next by thread: Re[2]: IPSEC and NAT
• Index(es):
  • Main
  • Thread