[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
No Subject
ipsec@tis.com,
nat@livingston.com, paul_douglas@3com.com, raj_bhatia@3com.com,
ken_araujo@3com.com
Subject: Re: (NAT) Re: Interactions between IPSEC and NAT
In-reply-to: Your message of "Thu, 05 Feb 98 11:32:46 EST."
<199802051632.LAA05572@jekyll.piermont.com>
Date: Thu, 05 Feb 98 08:48:27 PST
From: Yakov Rekhter <yakov@cisco.com>
Sender: owner-ipsec@portal.ex.tis.com
Precedence: bulk
Perry,
> Cheng_Chen@3com.com writes:
> > We all lock our house every morning when we go to work, although we know
> > that any average thief will be able to break it. So many of us pay $3000
> > to install the home security system, although we know that any average
> > thief will cut your power line to disable the security system before they
> > enter the house. NAT is valuable to many people. As a NAT user, a less
> > than perfect security is better than NO security at all. Don't you lock
> > your front door every morning?
>
> Imagine that you have the choice between a $10 lock that works
> perfectly and is highly secure, or a $1000 lock that requires that a
> thief sneeze at it for it to open itself. Which would you choose?
>
> IPsec is a simple yet very secure protocol. You are proposing making
> it complicated and costly in an effort to remove all the protection it
> would provide. I am not sure that there is a point to that.
>
> An IPsec with the ability to modify the packets in flight is like a
> contraceptive that lets you get pregnant. "All the disadvantages of
> condoms, with all the disadvantages of pregnancy and and AIDS
> combined!" Why would anyone want such a thing?
Let me just say that some of the assumptions that IPsec was designed
with don't match reality. On the orthogonal, yet somewhat related
topic, it may be wise to remember that "reality has a way of adjusting
those who think they can adjust it".
Yakov.
Follow-Ups:
- No Subject
- From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>