[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interactions between IPSEC and NAT



Folks,

I haven't been following the NAT discussions real closely, so let me know
if this has already come up. There seems to be a real problem for NAT when
end to end IPSEC is used. Since the NAT system must look into application
data and change embedded IP addresses (e.g., for FTP PORT commands), if the
session is encrypted, this is not possible. Further exacerbating the
problem is that FTP seems to be unusual in carrying control and data on
separate associations, so for many applications you can't even play tricks
like not encrypting the control traffic end-to-end, but encrypting the data
traffic.

This seems to lead to a model where IPSEC tunnels are used from the end
system to the NAT box, then from the NAT box to the remote system (or to
the remote NAT box, which tunnels to the remote system). These are IPSEC
tunnels not PPTP or L2TP tunnels. This imposes a pretty ugly trust model.

Anyone thought about this so that they can provide us with a nice clean
answer :-) ?

Dan






Follow-Ups: