[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC 2401 section 5.2.1

To: "jshukla" <jshukla@trlokom.com>
Subject: Re: RFC 2401 section 5.2.1
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Sat, 25 Nov 2000 19:17:01 +0100
cc: "Henry Spencer" <henry@spsystems.net>, itojun@iijlab.net, ipsec@lists.tislabs.com
In-reply-to: Your message of Fri, 24 Nov 2000 13:00:26 PST. <001601c05659$93249460$79b12304@ffb5b>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   Transport mode does not solve the end-to-end security problem.
   In fact, either mode of IPSec cannot traverse NAT and is not
   capable of providing end-to-end security.

=> NATs are *not* in the Internet architecture and *do* break
any end-to-end properties. 

   One exception is the
   LAN configuration where you do not have to deal with NAT.

=> this discussion is in the IPv6 context where NATs are *not* wellcome.

   A whole lot of work has been done to address this problem, e.g. RSIP,
   UDP encapsulation etc.
   
=> something which modifies packets on the fly should not be considered
where we talk about end-to-end security (or end-to-end something) IMHO.

Regards

Francis.Dupont@enst-bretagne.fr

References:

Re: RFC 2401 section 5.2.1

From: "jshukla" <jshukla@trlokom.com>

Prev by Date: Re: RFC 2401 section 5.2.1
Next by Date: HI
Prev by thread: Re: RFC 2401 section 5.2.1
Next by thread: Re: RFC 2401 section 5.2.1
Index(es):
- Main
- Thread