[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (NAT) Re: Interactions between IPSEC and NAT




Vinod Valloppillil writes:
> that's a pretty large overstatement, IMHO.  
> 
> fundamentals of IPSEC/NAT aside, it doesn't seem theoretically impossible to
> separate IP addressing from end-to-end payload security.

I'm afraid it must be.

The alteration of addresses and/or ports has security implications. We
in the security community have found, from bitter experience, that
"trivial changes" to protocols often have drastic consequences. IPsec
secures the entire packet. If we were to declare that the end system
address and/or ports were to not be protected, in theory NAT could
continue to work. However, were we to do such a thing, I'm almost
certain that, given time and effort, I could come up with fascinating
new attacks that could be performed upon such packets -- things like
convincing legitimate traffic to be sent from a legtimate port to an
illegitimate one with grave consequences, for example.

If you want end to end security, you can't allow packets to be
modified between the endpoints.

> HTTPS through a NAT, for example, is perfectly reasonable

HTTPS doesn't embed things like ports into the communications stream,
so it can be NATed. SSL is the security layer HTTPS uses, but SSL !=
HTTPS -- other protocols over SSL will not behave so nicely.

Perry