[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC Security Gateways & NAT
Jayant,
Why ESP over UDP does peer-to-peer secutiry?
I assume you talk aoubt SG-NAT===NAT-SG situation.
Thanks,
--- David
-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net]
Sent: Thursday, June 07, 2001 5:10 PM
To: Chris Trobridge; ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT
----- Original Message -----
From: "Chris Trobridge" <CTrobridge@baltimore.com>
To: <ipsec@lists.tislabs.com>
Sent: Thursday, June 07, 2001 4:56 AM
Subject: IPSEC Security Gateways & NAT
>
> Even assuming that the management issues associated with agreeing SAs
> (possibly with dynamic NAT) can be fixed, there appears to be a deeper
> issue: Some protocols, most notably FTP, pass IP socket addresses at the
> application level. These need to be translated by Application Level
> Gateways (ALGs). However, once IP traffic has been enrypted, this
> information cannot be available to the ALG.
>
There is another proposal to solve the IPSec and NAT conflict. It
specifically
shows how the FTP problem can be solved.
http://search.ietf.org/internet-drafts/draft-shukla-ipsec-nat-qos-compatible
-security-00.txt
Although we have not talked about the case when NAT is performed
by the ISP, it is not a problem. Our new draft will address that.
In addition to the issues raised by you, there are other problems,
such as, peer-to-peer security, support for per-flow based QoS,
and content based switching. Our proposal solves all these problems
as well.
On the other hand, ESPinUDP does not enable peer-to-peer
security, per-flow based QoS, and use of ALGs.
> This appears to imply that NAT, in general, must be performed before
> encryption. This is at odds with the models that a number of service
> providers are trying to apply. Are there any solutions to these problems?
> Or any papers detailing the sort of problems that occur when mixing NAT
with
> IPSEC.
>
> Thanks,
> Chris
>
regards,
Jayant
Follow-Ups: