[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interactions between IPSEC and NAT
Cheng_Chen@3com.com writes:
> We all lock our house every morning when we go to work, although we know
> that any average thief will be able to break it. So many of us pay $3000
> to install the home security system, although we know that any average
> thief will cut your power line to disable the security system before they
> enter the house. NAT is valuable to many people. As a NAT user, a less
> than perfect security is better than NO security at all. Don't you lock
> your front door every morning?
Imagine that you have the choice between a $10 lock that works
perfectly and is highly secure, or a $1000 lock that requires that a
thief sneeze at it for it to open itself. Which would you choose?
IPsec is a simple yet very secure protocol. You are proposing making
it complicated and costly in an effort to remove all the protection it
would provide. I am not sure that there is a point to that.
An IPsec with the ability to modify the packets in flight is like a
contraceptive that lets you get pregnant. "All the disadvantages of
condoms, with all the disadvantages of pregnancy and and AIDS
combined!" Why would anyone want such a thing?
Perry
References: