[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and IPSEC INCOMPATIBLE???
I can see no reason for a hotel to use 1-1 address NAT. That gains them
nothing if they are doing NAT to conserve IP address space. I can see
a need for a nice protocol which would allow a hotel to request a new subnet
from a larger block and then advertise it to their ISP. That would allow some
hotel chain to purchase a block of addresses from a single ISP and have them
allocated to the hotels that need them. That would significantly reduce the
cost of provisioning IP addresses.
While ESP can co-exist with NAPT provided that the NAPT understands
how to map SPIs in/out, there are some more fundamental problems:
1. SPI collision
2. IKE session collision
3. IKE trust relationships (what does the cert contain?)
4. rekeying by "gateway"
There has been a long discussion of this on the Linux-Ipsec (FreeSWAN)
mailing list:
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/05/msg00293.html
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/03/msg00016.html
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1998/fall/msg00018.html
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | ...working from my front lawn with a long cord...
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.
References: