[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT

To: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Subject: Re: IPSEC and NAT
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Mon, 25 Aug 1997 20:06:55 -0400
Address: 1 Amherst St., Cambridge, MA 02139
Cc: hsw@columbia.sparta.com, smb@research.att.com, dave@tlogic.com, ipsec@tis.com
In-Reply-To: Bill Sommerfeld's message of Fri, 22 Aug 1997 17:13:25 -0400,<199708222113.RAA00438@thunk.ch.apollo.hp.com>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

   Date: Fri, 22 Aug 1997 17:13:25 -0400
   From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

   It's not immediately clear what this means, because NAT is a way to
   bridge between multiple routing/addressing domains.  By tunnelling
   through, you're (pardon the Ghostbusters analogy) "crossing the
   streams".  are the addresses on the "inside" of the tunnel from one
   domain, or the other?  or do they form a third addressing domain?

All very good questions.

All I can say is that Bob's solution requires making fundamental changes
in how TCP/IP applications work.  Programs have to make a DNS query to a
new type, the "TX" RR, which points them at another DNS server port on
the security router, where they make another TX RR qiery.  The router
then makes its own DNS "TX" resolutions to talk to the other router ---
which is also running a specialized DNS server --- so the two of them
can figure out who needs to do what kind of NAT translation before
encapsulating and encrypting the packets.  (Apologizes to Bob if I'm not
describing the latest version of his proposal.  I am merely trying to
get across a general sense of the kinds of kludges you need in order to
support NAT.)

   It seems like an awful lot of work to do to accomodate a technology
   which completely breaks just about every single system/protocol I've
   worked on in the past 10 years.

Unfortunately, there's a huge number of companies that very foolishly
invested a large amount of money in NAT boxes, for better or for worse,
and the auto industry in particular is apparently committed to spend
millions to perpetuate this architectural eyesore, because apparently
would be far more expensive to undo this mistake.

In any case, NAT is far outside the scope of this working group ---
although wishing that the problem will go away won't make it so,
especially if there's enough money in the market places forcing vendors
to invent solutions that accomodates this fundamentally broken
technology.

						- Ted

Follow-Ups:

Re: IPSEC and NAT

From: Dan.McDonald@Eng.Sun.Com (Dan McDonald)

Re: IPSEC and NAT

From: Robert Moskowitz <rgm3@chrysler.com>

References:

Re: IPSEC and NAT

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: A few observations about the replay issue
Next by Date: Re: IPSEC and NAT
Prev by thread: Re: IPSEC and NAT
Next by thread: Re: IPSEC and NAT
Index(es):
- Main
- Thread