[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec Complexity

To: "'William I. MacGregor'" <macgregor@austin.apc.slb.com>, ipsec@lists.tislabs.com
Subject: RE: IPSec Complexity
From: "Iyer, Prakash" <prakash.iyer@intel.com>
Date: Thu, 17 Feb 2000 08:31:27 -0800
Sender: owner-ipsec@lists.tislabs.com

L2TP over IPsec will break going thru' traditional NAT. Of course 1 IPsec
tunnel can be support thru' NAT at a time by implementing a hack in NAT. But
for a more generic solution, consider RSIP.
-Prakash

-----Original Message-----
From: William I. MacGregor [mailto:macgregor@austin.apc.slb.com]
Sent: Thursday, February 17, 2000 6:53 AM
To: ipsec@lists.tislabs.com
Subject: Re: IPSec Complexity

>In conclusion the paper recommends adopting ESP/tunnel mode with
>mandatory authentication and dropping the rest.  This certainly
>appeals to me as we were already pondering the idea of using tunnel
>mode everywhere (host-host, host-sg, sg-sg) for simplicity.
>

  That has been my conclusion and recommendation in my own company,
  too, after more than a little testing.

  It was interesting to hear the Intel take on this at the
  RSA Conference.  They suggested that transport mode is valuable
  on the LAN (i.e., not transiting firewalls) and tunnel mode in the WAN.
  Maybe (of course, they're selling IPSEC NICs).

  The Microsoft IPSEC-with-L2TP mode introduces another twist. 
  Does IPSEC-with-L2TP pass through port forwarding NAT OK?  This
  continues to be a major, major headache for
  us, and may be the make-or-break issue for the deployment of IPSEC
  in general use.  There are lots of gateways doing Port Address
Translation,
  and more all the time.  Does IPSEC-with-L2TP make this easier, harder,
  neutral?  Will it pass through devices like the Linksys box?  We're
  going to see lots of these on broadband connects at home.

  Some of our guys have been testing IPSEC on portables on customers'
  LANs.  To do this, they have to persuade the customer to allow the
  IPSEC services through the firewall.  This is challenge enough, but
  if the customer is using PAT, it get *really* tough.

  "Uh, excuse me, would you mind renumbering your network, or changing
  the gateway to use realm specific addressing, please?"

  - Bill

"At the end of the day, this is an ant farm with beepers."  - Dennis Miller
         William I. MacGregor <macgregor@austin.apc.slb.com>
Schlumberger, 8311 North RR 620, P.O. Box 200015, Austin, TX 78720-0015
            phone +1 512 331 3733, fax   +1 512 331 3760

Prev by Date: RE: IPSec Complexity
Next by Date: Re: Future ISAKMP Denial of Service Vulnerablity Needs Addressing
Prev by thread: RE: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread