[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why can't ESP authenticate IP header?
Title: Re: Why can't ESP authenticate IP
header?
At 10:25 AM +0530 9/25/01, lokesh wrote:
As noted, ESP coverage of selected header fields would
increase complexity and reduce performance. It also would create even
more circumstances where NAT could interfere with IPsec use. Today,
using ESP in tunnel mode can be made to work with NAT, but if the
outer S/D IP addresses were covered, that capability (I hesitate to
call it a feature) would go away.
Steve,
As for as I know, in
many implementations, NAT is done prior to ipsec processing at the
sending end, and Ipsec processing is done before NAT at the receiving
end.
Are there situvations where
NAT would interfere in ipsec processing ? if so, kindly will you brief
them?
Assuming there will be
situations where NAT will interfere with IPsec processing, how AH in
transport mode will work there?
I get the feeling that you have not been reading this list for
very long.
Yes, a combined IPsec/NAT implementation in a security gateway
avoids the problems I cited. The NAT problems I refer to arise when
NAT takes place at a device that is between the IPsec implementation
and the Internet. For example, I am in a hotel room in London now and
if I had IPsec on my laptop, it would have to deal with the NAT box
that the hotel has deployed. Same problem arises in many cable modem
nets, and for desktop IPsec implementations in corporate environments
where NAT is performed at the gateway/firewall.
Steve
Follow-Ups:
References: