Re: Interactions between IPSEC and NAT

["Perry E. Metzger" <perry@piermont.com>]

Alex Alten writes:
> At 01:09 AM 2/5/98 -0500, Perry E. Metzger wrote:
> >
> >Alex Alten writes:
> >> This is what bothers me about the direction IPSEC has taken.  The
> >> addition of security should not break things like trusted NATs.
> >
> >The function of IPsec is to keep a packet from being touched or read
> >in transit. 
> 
> IP packets are designed with routing in mind.  There are fields which
> need to be adjusted between hops.  This means IP security can only be 
> designed with a single hop in mind.

Maybe you ought to read the spec. It might answer a lot of your
questions. Believe it or not, we did know what we were doing.

> In fact, regardless of NAT, all the routers must be part of the
> security system (or security perimeter).  For an arbitrary number of
> insecure routers, then I think only a transport or application level
> security will work.

Your viewpoint is a wee bit unrealistic -- there is, in practice, no
way to make even a tiny fraction of the routers trusted. It is also
unneeded -- we know how to provide security in a network where nothing
except the endpoints need to be trusted. Might I suggest that you
study this topic a bit more in depth before commenting further?

Perry

---

Follow-Ups:

• Re: Interactions between IPSEC and NAT
• From: Alex Alten <Andrade@netcom.com>

References:

• Re: Interactions between IPSEC and NAT
• From: Alex Alten <Andrade@netcom.com>

---

• Prev by Date: Re: Interactions between IPSEC and NAT
• Next by Date: Re: Interactions between IPSEC and NAT
• Prev by thread: Re: Interactions between IPSEC and NAT
• Next by thread: Re: Interactions between IPSEC and NAT
• Index(es):
  • Main
  • Thread