[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
>>>>> "Scott" == Scott Fluhrer <sfluhrer@cisco.com> writes:
Scott> They appear to be requiring that the NAT gateways to share copies of
Scott> the IPSec keys with the end hosts. If I am interpreting this right,
Scott> then:
Scott> - The fact that there are more than two systems with knowledge of the
Scott> secret keys is not listed in the Security Considerations -- IMHO,
Scott> it really should be
Scott> - The draft does not address how the key transport is to be done
Scott> securely
More importantly:
Even if you invent a secure way to share the keys with the NAT gateway,
since you have now caused new software on the client and the gateway, then
you might as well do it right and use RSIP, SPP, ESPUDP or IPv6.
All NAT compatibility solutions must be evaluated against RSIP and SPP
in particular.
In addition, doing:
client nat gateway
IPv4-1/ESP/IPv6 IPv4-1/ESP/IPv6/IPv4
using 6to4 addressing, seems as good to me as doing NAPT. The only
disadvantage is 20 bytes extra overhead. But, that goes way as you transition
to IPv6.
I.e. if you are going to encapsulate, you might as well use IPv6.
:!mcr!: | Solidum Systems Corporation, http://www.solidum.com
Michael Richardson | Travelling... if you don't know where I am, how should I?
Personal: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
Corporate: <A HREF="mailto:mcr@solidum.com">mcr@solidum.com</A>.
Follow-Ups:
References: