Re: NAT and IPSEC INCOMPATIBLE???

["Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>]

  I can see no reason for a hotel to use 1-1 address NAT. That gains them
nothing if they are doing NAT to conserve IP address space. I can see 
a need for a nice protocol which would allow a hotel to request a new subnet
from a larger block and then advertise it to their ISP. That would allow some
hotel chain to purchase a block of addresses from a single ISP and have them
allocated to the hotels that need them. That would significantly reduce the
cost of provisioning IP addresses.

  While ESP can co-exist with NAPT provided that the NAPT understands
how to map SPIs in/out, there are some more fundamental problems:
	1. SPI collision
	2. IKE session collision
	3. IKE trust relationships (what does the cert contain?)
	4. rekeying by "gateway"

  There has been a long discussion of this on the Linux-Ipsec (FreeSWAN)
mailing list:

http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/05/msg00293.html 
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/03/msg00016.html 
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1998/fall/msg00018.html

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |   ...working from my front lawn with a long cord...
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.

---

References:

• RE: NAT and IPSEC INCOMPATIBLE???
• From: CTrobridge@baltimore.com

---

• Prev by Date: Re: What's the attribute value for group generator (MODP) ?
• Next by Date: RE: RFC2409
• Prev by thread: RE: NAT and IPSEC INCOMPATIBLE???
• Next by thread: Proposal for IP Peer protocol
• Index(es):
  • Main
  • Thread