[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC and NAT and the BIG PICTURE



Here's a succinct way to describe the main problem with NAT
vs. security protocols (ipsec, kerberos, dnssec, ...)

It's possible to do end-to-end security in the presence of NAT.

It's also possible to use addresses as data in the presence of NAT --
the NAT box just has to rewrite the addresses.

However, it's not possible to use end-to-end secure protocols which
carry addresses as data... it's this combination of features which
cannot possibly work.

					- Bill


References: