[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (NAT) Re: Interactions between IPSEC and NAT
Of couse I need to think about this quite a bit, but it seems that SOCKS
has some potential in this area. For those that do not know that SOCKS is I
can summarize that it can be used as an alternative to NAT (and much more).
The way SOCKS works is that a "shim" is placed in all clients on the
private network between the application and the network layer. The shim
"intercepts" bind and connect requests and forwards these requests as SOCKS
messages to a pre-configured Proxy gateway. So all traffic on the public
network looks like it is from the SOCKS gateway, much like a NAT server.
In the case of a BIND request, which is used for incoming connections from
the public network, a respose is sent to the SOCKS client which includes
the port allocated by the SOCKS gateway as well as the gateway's bind IP
address. A similar mechanism is done for CONNECT requests for clients
connecting from the private to the public network.
I wonder if a change on the SOCKS client would allow the client to simply
use the source IP address and port contained in the BIND or CONNECT
request, which is the SOCKS gateway.
I think that this proposal would allow end to end encryption AND
authentication since the SOCKS gateway would no longer need to change the
packet. Note that this is not the current behavior of a SOCKS server, so it
would require some changes.
Disadvantages:
- Requires some changes on the client station.
- Complicates troubleshooting on the private network since all packets
come from the same IP address.
- May have to change any source address filtering if it exists on the
private network.
Advantages:
- Allows encryption and authentication end to end!
Thanks,
PatC
3Com