RE: IPSEC Security Gateways & NAT

["Chen, David" <dchen@ellacoya.com>]

Jayant,
I like public opinion, if you don't mind.

After tunneling the IPSec's packet, the NAT device will NAT on the
outer IP's address.  The NAT device does not "see" the payload (IPSec
packets).

It seems exposing the encrypted IP addresses in the IPSec due it
copies the inner address to outer for tunneling and through NAT device.

Is this worse secure than "not exposing address and other header
information"? 

Assume anything after SG (or host's w/IPSec) is unsecured communication to
NAT device.
 
Regards,

--- David



-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net]
Sent: Tuesday, June 12, 2001 11:54 AM
To: Chen, David
Subject: Re: IPSEC Security Gateways & NAT



----- Original Message ----- 
From: "Chen, David" <dchen@ellacoya.com>

> Jayant,
> In the Shukla's draft seems only talking about UDP(inner)->UDP(outer) and
> TCP->TCP mapping.
> 
> What to do with other protocols in the IP "protocol" field?
> 

You treat all protocls in the same fashion.

> It seems to me that, to be simple, all we need is
> duplicate (not mapping) the original IP's header for tunneling before

That's what I mean. Except you have to update the length and checksum
fields.

> encrypting
> the inner IP packet.   
> Afterward, forward this tunneled IP packet to NAT device(s)
> to reach the peer.  

How will the NAT device forward the packet to the peer if
the inner IP header is encrypted. I am assuming you want
to do peer-2-peer IPSec.

We went through all possible configurations, before settling
on the one that we have presented in the draft.


regards,
Jayant

---

• Prev by Date: Re: IPSEC Security Gateways & NAT
• Next by Date: mluticast authentication using AH
• Prev by thread: RE: IPSEC Security Gateways & NAT
• Next by thread: RE: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread