[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
--- Chris Trobridge <CTrobridge@baltimore.com> wrote:
> We've come up against a number of situations where the network service
> provider has used NAT and the customer wants to add IP security by adding
> Security Gateways between their networks and the service provider's access
> points.
Why cant the traffic between customer site and the access point be secured?
There is no NAT involved thus far. All that the customer is asking for is
tunnel-mode security. The Access Point at the providers's site will need
a security gateway function.
NAT happens after this.
>
> RFC2401 says that a Security Gateway must use tunnel mode unless it is
> acting as a host (eg management). The negates the service provider's use of
> NAT by preventing it from translating client addresses - which in some cases
> overlap across across multiple private networks.
>
Please see my comments above.
> Some vendors offer non-standard encryption modes - eg transport or
> proprietary - that do pass the IP (and even TCP/UDP) headers through in
> clear too. This exposes the client IP address for NAT but means that the
> encryption end-points probably won't agree on the selectors for the security
> association - as they will see different addresses for the same client.
>
> Even assuming that the management issues associated with agreeing SAs
> (possibly with dynamic NAT) can be fixed, there appears to be a deeper
> issue: Some protocols, most notably FTP, pass IP socket addresses at the
> application level. These need to be translated by Application Level
> Gateways (ALGs). However, once IP traffic has been enrypted, this
> information cannot be available to the ALG.
>
> This appears to imply that NAT, in general, must be performed before
> encryption. This is at odds with the models that a number of service
> providers are trying to apply. Are there any solutions to these problems?
> Or any papers detailing the sort of problems that occur when mixing NAT with
> IPSEC.
You might want to take a look at RFC 2709, even though that may not be
the model you are looking at.
>
> Thanks,
> Chris
>
>
cheers,
suresh
=====
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
References: