[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC and NAT
Two interesting points were made, one related to NAT
and one related to cryptography, which beg further disussion.
Hence, I'll make these small arguments in hope the
topic is appropriate to IPSEC WG:
(1) Cryptography is about techniques to insure confidentality,
integrity, non-repudiation, authentication, (all the basics
we all know and love :) for messaging. Bulk encryption does
this by 'not fiddling with bits' as one described in a reply.
However, it is not clear, IMHO, that this model is a necessary
requirement for IPSEC. Is IPSEC just an IP 'centric bulkish'
encryption :) Hmmmm.
(2) NAT is more than 'just a firewall technology'. It is a generalized
method of translating IP address and its roots were in IP routing
scalability issues (right?) and many use NAT as a basic tool
for IP address space management.
Having touched on (1,2) above, one could develop a rational argument that
IPSEC should be designed to work with NAT, not orthogonal to NAT, because
NAT has become a basic fact of life in both IP Firewalls and IP address
space management. One the other hand, one could argue differently :)
My closing thoughts are these, and correct me if I am wrong; doing address
translation integrated into IPSEC is 'too difficult' or 'too much work'
for the IPSEC to consider. Or, is it more like 'if IPSEC WG builds
hooks for NAT' then the precedence has been set for 'more and more
IPSEC requirements and accomodations'.
Thanks for the time on the 'floor' :)
V/R,
Tim
Follow-Ups:
References: