[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interactions between IPSEC and NAT




Alex Alten writes:
> This is what bothers me about the direction IPSEC has taken.  The
> addition of security should not break things like trusted NATs.

The function of IPsec is to keep a packet from being touched or read
in transit. That is, for good or ill, fundamentally incompatible with
the concept of network address translation. As a security weenie, I
cannot think of a way to avoid this -- its like asking for a method of
contraception that also allows pregnancy. The two don't mix.

IPsec protects you against all sorts of nasty attacks like IP address
spoofing, but the only reasonable way to do that means that no one in
your communications path can fiddle with your packets. With that in
place, NAT is impossible. If you remove that, you remove the
security. I do not see any way to fix that.

I wish to be very clear to the NAT people -- security is not magic. We
aren't sadists who are withholding the magic security pixie dust,
which, would we just release it, would bring a protocol that makes
everything secure and imposes no pain. We aren't hiding some nifty
cool way to do things from you to be mean. We don't know of any such
solution -- I would go so far as to say, in fact, that there is no
such solution. If you want security, you have to suffer certain
tradeoffs. If you want people not to be able to do very vicious things
to you that will cause you trouble -- vicious things involving
spoofing portions of your datagrams -- you need security that prevents
people from mucking with your datagrams. Well, that has an obvious
impact on doing NAT, for good or ill.

> If not, then encrypt the IP header, since all the trusted routers
> can decrypt it, decide how to route it, and then re-encrypt before
> transmitting it.

We don't do that, actually. You can't bring all the routers on the
internet into your security perimeter -- that simply won't work. Thus,
we don't try. IPsec works via encapsulation -- the outer IP address is
in the clear, as it must be for routing to work. 

For stuff like NAT to work you would need to include all NAT boxes and
routers in your security perimeter, and I fundamentally cannot think
of a design for this stuff that will work and will involve arbitrary
numbers of intermediate nodes on the global internet -- I belive that
it just can't be done in practice. Maybe I'm just not bright enough,
but I think that instead its an issue of having enough arrows in my
back to know better.

> The really difficult issues of how to establish and control the
> network of trusted nodes, and how to implement and enforce
> network-wide policy can then be tackled.

When you come up with a functioning protocol, let us know. I don't
believe one is possible, but I'm more than willing to listen.

Perry


Follow-Ups: References: