[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interactions between IPSEC and NAT
At 01:09 AM 2/5/98 -0500, Perry E. Metzger wrote:
>
>Alex Alten writes:
>> This is what bothers me about the direction IPSEC has taken. The
>> addition of security should not break things like trusted NATs.
>
>The function of IPsec is to keep a packet from being touched or read
>in transit.
IP packets are designed with routing in mind. There are fields which
need to be adjusted between hops. This means IP security can only be
designed with a single hop in mind. This also means that IP security
must be part of a complete security system, of which IP security is
just one component, the component which protects inter-router hops.
A secure, trusted NAT can certainly be part of that system.
>> If not, then encrypt the IP header, since all the trusted routers
>> can decrypt it, decide how to route it, and then re-encrypt before
>> transmitting it.
>
>We don't do that, actually. You can't bring all the routers on the
>internet into your security perimeter -- that simply won't work. Thus,
>we don't try. IPsec works via encapsulation -- the outer IP address is
>in the clear, as it must be for routing to work.
This is realistic, I stated this as my alternative. However the outer IP
address must be at least be verified somehow, either via a MAC over it or
duplicate routing information inside the protected encapsulation area.
>For stuff like NAT to work you would need to include all NAT boxes and
>routers in your security perimeter, and I fundamentally cannot think
>of a design for this stuff that will work and will involve arbitrary
>numbers of intermediate nodes on the global internet -- I belive that
>it just can't be done in practice. Maybe I'm just not bright enough,
>but I think that instead its an issue of having enough arrows in my
>back to know better.
>
I absolutely agree. In fact, regardless of NAT, all the routers must
be part of the security system (or security perimeter). For an
arbitrary number of insecure routers, then I think only a transport
or application level security will work.
>> The really difficult issues of how to establish and control the
>> network of trusted nodes, and how to implement and enforce
>> network-wide policy can then be tackled.
>
>When you come up with a functioning protocol, let us know. I don't
>believe one is possible, but I'm more than willing to listen.
>
Admittedly it is a tough problem to solve, given the datagram nature of
IP and its high performance requirements for routing. It's much easier
to do it at the TCP level.
- Alex
--
Alex Alten
Andrade@Netcom.Com
P.O. Box 11406
Pleasanton, CA 94588 USA
(510) 417-0159
Follow-Ups:
References: