[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interactions between IPSEC and NAT
We all lock our house every morning when we go to work, although we know
that any average thief will be able to break it. So many of us pay $3000
to install the home security system, although we know that any average
thief will cut your power line to disable the security system before they
enter the house. NAT is valuable to many people. As a NAT user, a less
than perfect security is better than NO security at all. Don't you lock
your front door every morning?
Cheng
----- Previous Message ----------------------------------------------------
To: Dan Nessett <Dan_Nessett @tdc.3com.com>
cc: ipsec @tis.com
nat @livingston.com
From: "Perry E. Metzger" <perry@piermont.com> @ UGATE
Date: Wednesday February 4, 1998 03:59 PM
Subject: Re: Interactions between IPSEC and NAT
---------------------------------------------------------------------------
--------------------------------------------------------------------
-----------------------------------------------
Dan Nessett writes:
> Anyone thought about this so that they can provide us with a nice clean
> answer :-) ?
Yes. If you want security, you can't use NAT, because by definition
the thing NAT is trying to do (peek in and/or alter your packets) is
what security is designed to prevent. Protocols like SSL have exactly
the same issue, btw. Any protocol that protects the contents of your
data will have the same issue.
This is not fixable -- any "fixes" someone could propose to this would
be so horrible as to make the entire point of security moot.
Perry
Follow-Ups: