As noted, ESP coverage of selected header fields would increase
complexity and reduce performance. It also would create even more
circumstances where NAT could interfere with IPsec use. Today, using ESP in
tunnel mode can be made to work with NAT, but if the outer S/D IP addresses
were covered, that capability (I hesitate to call it a feature) would go
away.
Steve,
As for as I know, in many implementations,
NAT is done prior to ipsec processing at the sending end, and Ipsec processing
is done before NAT at the receiving end.
Are there situvations where NAT would interfere
in ipsec processing ? if so, kindly will you brief them?
Assuming there will be situations where NAT will
interfere with IPsec processing, how AH in transport mode will work there?
Thanks
Lokesh.