[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RFC 2401 section 5.2.1
In your previous mail you wrote:
Transport mode does not solve the end-to-end security problem.
In fact, either mode of IPSec cannot traverse NAT and is not
capable of providing end-to-end security.
=> NATs are *not* in the Internet architecture and *do* break
any end-to-end properties.
One exception is the
LAN configuration where you do not have to deal with NAT.
=> this discussion is in the IPv6 context where NATs are *not* wellcome.
A whole lot of work has been done to address this problem, e.g. RSIP,
UDP encapsulation etc.
=> something which modifies packets on the fly should not be considered
where we talk about end-to-end security (or end-to-end something) IMHO.
Regards
Francis.Dupont@enst-bretagne.fr
References: