[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC Security Gateways & NAT

To: Chris Trobridge <CTrobridge@baltimore.com>, ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT
From: Pyda Srisuresh <srisuresh@yahoo.com>
Date: Thu, 7 Jun 2001 07:28:48 -0700 (PDT)
In-Reply-To: <F86F34FDF1F9D411B7A40008C74C27B8028761@hhdata3.cdsemea.baltimore.com>
Sender: owner-ipsec@lists.tislabs.com


--- Chris Trobridge <CTrobridge@baltimore.com> wrote:
> We've come up against a number of situations where the network service
> provider has used NAT and the customer wants to add IP security by adding
> Security Gateways between their networks and the service provider's access
> points.

Why cant the traffic between customer site and the access point be secured?
There is no NAT involved thus far. All that the customer is asking for is
tunnel-mode security. The Access Point at the providers's site will need
a security gateway function.

NAT happens after this.
  
> 
> RFC2401 says that a Security Gateway must use tunnel mode unless it is
> acting as a host (eg management).  The negates the service provider's use of
> NAT by preventing it from translating client addresses - which in some cases
> overlap across across multiple private networks.
> 

Please see my comments above.

> Some vendors offer non-standard encryption modes - eg transport or
> proprietary - that do pass the IP (and even TCP/UDP) headers through in
> clear too.  This exposes the client IP address for NAT but means that the
> encryption end-points probably won't agree on the selectors for the security
> association - as they will see different addresses for the same client.
> 
> Even assuming that the management issues associated with agreeing SAs
> (possibly with dynamic NAT) can be fixed, there appears to be a deeper
> issue:  Some protocols, most notably FTP, pass IP socket addresses at the
> application level.  These need to be translated by Application Level
> Gateways (ALGs).  However, once IP traffic has been enrypted, this
> information cannot be available to the ALG.
> 
> This appears to imply that NAT, in general, must be performed before
> encryption.  This is at odds with the models that a number of service
> providers are trying to apply.  Are there any solutions to these problems?
> Or any papers detailing the sort of problems that occur when mixing NAT with
> IPSEC.

You might want to take a look at RFC 2709, even though that may not be
the model you are looking at.

> 
> Thanks,
> Chris
> 
> 

cheers,
suresh

=====


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

References:

IPSEC Security Gateways & NAT

From: Chris Trobridge <CTrobridge@baltimore.com>

Prev by Date: RE: IPSEC Security Gateways & NAT
Next by Date: Re: IPSEC Security Gateways & NAT
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: Re: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread