[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interactions between IPSEC and NAT
Alex Alten writes:
> At 01:09 AM 2/5/98 -0500, Perry E. Metzger wrote:
> >
> >Alex Alten writes:
> >> This is what bothers me about the direction IPSEC has taken. The
> >> addition of security should not break things like trusted NATs.
> >
> >The function of IPsec is to keep a packet from being touched or read
> >in transit.
>
> IP packets are designed with routing in mind. There are fields which
> need to be adjusted between hops. This means IP security can only be
> designed with a single hop in mind.
Maybe you ought to read the spec. It might answer a lot of your
questions. Believe it or not, we did know what we were doing.
> In fact, regardless of NAT, all the routers must be part of the
> security system (or security perimeter). For an arbitrary number of
> insecure routers, then I think only a transport or application level
> security will work.
Your viewpoint is a wee bit unrealistic -- there is, in practice, no
way to make even a tiny fraction of the routers trusted. It is also
unneeded -- we know how to provide security in a network where nothing
except the endpoints need to be trusted. Might I suggest that you
study this topic a bit more in depth before commenting further?
Perry
Follow-Ups:
References: