[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and IPSEC INCOMPATIBLE???
Mr. Thomas Cosenza
Software Eng. IBM
T/L 441-8782
"I always said that you can get more with a kind word and a two by four then you
can get with a kind word", Marcus B5
"pcalhoun@eng.sun.com" <Pat.Calhoun on 06/10/99 01:43:49 PM
Please respond to "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com>
To: Dan McDonald <danmcd@Eng.Sun.Com>
cc: Pat.Calhoun@Eng.Sun.Com, johnbr@elastic.com, ipsec@lists.tislabs.com (bcc:
Thomas Cosenza/Raleigh/IBM)
Subject: Re: NAT and IPSEC INCOMPATIBLE???
And just to make matters worse, I could not have anyone connect directly to me
thanks to NAT (i.e. ftp, SIP, etc).
PatC
> > > By the way, there are certain markets where NAT is a requirement (such as
> > > running IP to the guest rooms in hotels)
>
> Until the hotels get more customers like Pat, who say that...
>
> > hmm... so I HAVE to trust my hotel? What kind of customers are they looking
> > for? If they are looking for the commuter, then NAT is a bad thing since I
> > will want to encrypt my data back to my corporate network.
>
> And by then they'll be looking for another alternative.
>
> > > and IPSec is also extremely high profile. It would help everyone out if
> > > there was a built-in method to scale arbitarily
> > > large for address translated IPSec connections - just with ESP, I don't
> > > think that AH is as important to these users.
>
> And that alternative is IPv6. ESP works just fine over that.
>
Could you not use ESP with an authentication alg if you wanted to make sure
where the packet came from.
Thomas