Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt

["jshukla" <jshukla@trlokom.com>]

----- Original Message -----
From: "Markus Stenberg" <mstenber@ssh.com>
>
> from 5.3:
>
>    The drawbacks of this approach are that it will require
>    modifications to existing NAT implementations, and will have
>    overhead in book-keeping to ensure that no two hosts use the same
>    port number.
>
> To be specific, it does NOT require changes to the intervening NAT devices
> on network path between IPsec endpoints. One endpoint MAY need to contain
> NAT implementation, which obviously is nonstandard as it performs
> (host,port) <> internal-host mapping in some cases.
>

As you explained yourself, it does NOT require ANY changes to the
NAT devices. In the situations where the effect of NAT must be
reversed, some additional functionality is needed and that can be
implemented without any modifications to the NAT. I think you are
thinking of merging this functionality with the NAT implementation,
which is not the case.

---

Follow-Ups:

• Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: Markus Stenberg <mstenber@ssh.com>

References:

• Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
• Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: "jshukla" <jshukla@trlokom.com>
• Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: Markus Stenberg <mstenber@ssh.com>

---

• Prev by Date: Re: RFC 2401 section 5.2.1
• Next by Date: Re: RFC 2401 section 5.2.1
• Prev by thread: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• Next by thread: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• Index(es):
  • Main
  • Thread