[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Interactions between IPSEC and NAT

To: perry@piermont.com
Subject: Re: Interactions between IPSEC and NAT
From: Alex Alten <Andrade@netcom.com>
Date: Wed, 04 Feb 1998 23:23:24 -0800
Cc: ipsec@tis.com, nat@livingston.com
In-Reply-To: <199802050609.BAA03281@jekyll.piermont.com>
References: <Your message of "Wed, 04 Feb 1998 19:46:15 PST." <3.0.3.32.19980204194615.0090c100@Netcom.Com>
Sender: owner-ipsec@ex.tis.com

At 01:09 AM 2/5/98 -0500, Perry E. Metzger wrote:
>
>Alex Alten writes:
>> This is what bothers me about the direction IPSEC has taken.  The
>> addition of security should not break things like trusted NATs.
>
>The function of IPsec is to keep a packet from being touched or read
>in transit. 

IP packets are designed with routing in mind.  There are fields which
need to be adjusted between hops.  This means IP security can only be 
designed with a single hop in mind.  This also means that IP security 
must be part of a complete security system, of which IP security is 
just one component, the component which protects inter-router hops.  
A secure, trusted NAT can certainly be part of that system.

>> If not, then encrypt the IP header, since all the trusted routers
>> can decrypt it, decide how to route it, and then re-encrypt before
>> transmitting it.
>
>We don't do that, actually. You can't bring all the routers on the
>internet into your security perimeter -- that simply won't work. Thus,
>we don't try. IPsec works via encapsulation -- the outer IP address is
>in the clear, as it must be for routing to work. 

This is realistic, I stated this as my alternative.  However the outer IP
address must be at least be verified somehow, either via a MAC over it or
duplicate routing information inside the protected encapsulation area.

>For stuff like NAT to work you would need to include all NAT boxes and
>routers in your security perimeter, and I fundamentally cannot think
>of a design for this stuff that will work and will involve arbitrary
>numbers of intermediate nodes on the global internet -- I belive that
>it just can't be done in practice. Maybe I'm just not bright enough,
>but I think that instead its an issue of having enough arrows in my
>back to know better.
>

I absolutely agree.  In fact, regardless of NAT, all the routers must
be part of the security system (or security perimeter).  For an
arbitrary number of insecure routers, then I think only a transport
or application level security will work.

>> The really difficult issues of how to establish and control the
>> network of trusted nodes, and how to implement and enforce
>> network-wide policy can then be tackled.
>
>When you come up with a functioning protocol, let us know. I don't
>believe one is possible, but I'm more than willing to listen.
>

Admittedly it is a tough problem to solve, given the datagram nature of 
IP and its high performance requirements for routing.  It's much easier
to do it at the TCP level.

- Alex
--
Alex Alten
Andrade@Netcom.Com
P.O. Box 11406
Pleasanton, CA  94588  USA
(510) 417-0159

Follow-Ups:

Re: Interactions between IPSEC and NAT

From: "Perry E. Metzger" <perry@piermont.com>

Re: Interactions between IPSEC and NAT

From: Stephen Kent <kent@bbn.com>

References:

Re: Interactions between IPSEC and NAT

From: "Perry E. Metzger" <perry@piermont.com>

Prev by Date: Re: Interactions between IPSEC and NAT
Next by Date: Re: Interactions between IPSEC and NAT
Prev by thread: Re: Interactions between IPSEC and NAT
Next by thread: Re: Interactions between IPSEC and NAT
Index(es):
- Main
- Thread