[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: NAT and IPSEC INCOMPATIBLE???
I believe that one of the possibilities to make static binding.
If something comes to port X on NAT gateway, it is forwarded to port Y on
host Z, if policy allowes that.
Krzysztof
> ----------
> From: Derek Atkins[SMTP:warlord@MIT.EDU]
> Sent: Thursday, June 10, 1999 3:45 PM
> To: pcalhoun@eng.sun.com
> Cc: Pyda Srisuresh; danmcd@Eng.Sun.Com; johnbr@elastic.com;
> ipsec@lists.tislabs.com
> Subject: Re: NAT and IPSEC INCOMPATIBLE???
>
> How can you do port address translation on known incoming ports? For
> example, what do I do if I need to get to port X on your host, which
> is sitting behind a NAT firewall? Obviously I don't know you're
> sitting behind a NAT gateway; how is the NAT gateway supposed to know
> that a packet coming to port X is destined for host Y or host Z, both
> of whom may be using these NAT-unfriendly protocols?
>
> And no, an answer of "don't use NAT-unfriendly protocols" is not a
> valid answer, as many of these protocols were developed years (or
> decades) before NAT.
>
> -derek
>
> "pcalhoun@eng.sun.com" <Pat.Calhoun@Eng.Sun.Com> writes:
>
> >
> > agreed, but my comment was directed to the use of NAT in hotels. It was
> not
> > inteded to be IPSec specific. I had *assumed* that they were doing port
> > translation (to conserve addresses).
> >
> >
> > PatC
> > >
> > > Pat,
> > >
> > > The accessability provided by NAPT (Network Address Port Translator)
> > > is not any less than the accessibility provided by a host with a
> > > single address.
> > >
> > > Further, Bidirectional-NAT does not preclude inbound connections.
> > > It simply does address multiplexing - optimal use of limited
> > > addresses available.
> > >
> > > I suggest you take a look at <draft-ietf-nat-terminology-03.txt>
> > > prior to spreading misinformation.
> > >
> > > cheers,
> > > suresh
> > >
> > > >
> > > > And just to make matters worse, I could not have anyone connect
> directly to me
> > > > thanks to NAT (i.e. ftp, SIP, etc).
> > > >
> > > > PatC
> > > >
> > > > > > > By the way, there are certain markets where NAT is a
> requirement (such as
> > > > > > > running IP to the guest rooms in hotels)
> > > > >
> > > > > Until the hotels get more customers like Pat, who say that...
> > > > >
> > > > > > hmm... so I HAVE to trust my hotel? What kind of customers are
> they looking
> > > > > > for? If they are looking for the commuter, then NAT is a bad
> thing since I
> > > > > > will want to encrypt my data back to my corporate network.
> > > > >
> > > > > And by then they'll be looking for another alternative.
> > > > >
> > > > > > > and IPSec is also extremely high profile. It would help
> everyone out if
> > > > > > > there was a built-in method to scale arbitarily
> > > > > > > large for address translated IPSec connections - just with
> ESP, I don't
> > > > > > > think that AH is as important to these users.
> > > > >
> > > > > And that alternative is IPv6. ESP works just fine over that.
> > > > >
> > > > > Dan
> > > >
> > > >
> > > >
> > >
> >
> >
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL N1NWH
> warlord@MIT.EDU PGP key available
>
Follow-Ups: