[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (NAT) Re: Interactions between IPSEC and NAT

To: bound@zk3.dec.com
Subject: Re: (NAT) Re: Interactions between IPSEC and NAT
From: George Tsirtsis <george@gideon.bt.co.uk>
Date: Thu, 5 Feb 1998 09:55:18 +0000 (GMT)
Cc: Alex Alten <Andrade@netcom.com>, perry@piermont.com, Dan Nessett <Dan_Nessett@tdc.3com.com>, ipsec@tis.com, nat@livingston.com
In-Reply-To: <199802050500.AA03698@wasted.zk3.dec.com>
Sender: owner-ipsec@ex.tis.com

Jim,

On Thu, 5 Feb 1998 bound@zk3.dec.com wrote:

> 
> I have already figured out to avoid NAT in most cases with IPv6 and now
> working on an NNAT for IPv4 if I can find someone who wants to do the
> writing?  At first I thought DHCPv4 could not do NNAT but now I think it
> can though it does not have the Reconfigure msg of DHCPv6 I think we can
> do it with Multicast packets.  The other option is to use DHCPv6 for
> IPv4 nodes too, which is possible.

Glad to hear that you desided to work on that. I always thought it was a
good idea.

> 
> For those that want IPSEC, but need a temporary address like NAT does,
> the goal is to just avoid using NAT and I think this is very doable.

Exactly! 'NAT bypass' is one way to do that and I hope you will find out
another.

> 
> I am not saying that NAT cannot still be used cause it will at least
> until IPv6 is pervasive, but I think we (engineers) are trying to solve
> this problem in the wrong way.  We should be working on solutions to
> avoid NAT when it is not an optimal way to do "business" on the Internet.

In all this thread of discussion three solutions for NAT and IPSEC
coexistance have been proposed.

1) Implement NAT and IPSEC at the same node. This can give you gateway to
gateway security.

2) Do the above plus IPSEC between end-user and NAT. This can only work if
the NAT is trusted and will give a kind fo end to end security, thought, a
lot of people will argue with this...

3) Try to avoid NAT when IPSEC (or other end-to-end sensitive app.) is
required. 'NAT bypass' attempts to do
exactly that by building an l2tp tunnel (nothing to do with IPSEC tunnels)
between itself and the NAT. The NAT then sends a global IP address through
the tunnel and the host can now use the globally valid IP address to do
IPSEC end-to-end, bypassing the NAT function.

> 
> Do we discuss such notions here or do we need to have an Avoidance of
> NAT BOF and eventual Working Group at the L.A. IETF?
> 

I think NAT BOF (WG?) should be OK for that. I think NAT BOF was not about
making NAT work, it was more about addressing the problems that NAT
introduces.

> Changing IPSEC for NAT is a bad engineering idea IMO.  

Agree!

> 
> /jim
> 

Best Regards
George
-----------------------------
Internet Transport Research |
BTLABS                      |
--------------------------------------------------------------------------
Notice: This contribution is the personal view of the author and does not
necessarily reflect the technical nor commercial direction of British
Telecommunications plc.
--------------------------------------------------------------------------

References:

Re: (NAT) Re: Interactions between IPSEC and NAT

From: bound@zk3.dec.com

Prev by Date: Re: Interactions between IPSEC and NAT
Next by Date: Re: (NAT) Re: Interactions between IPSEC and NAT
Prev by thread: Re: (NAT) Re: Interactions between IPSEC and NAT
Next by thread: Re: (NAT) Re: Interactions between IPSEC and NAT
Index(es):
- Main
- Thread