[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?



Title: Re: Why can't ESP authenticate IP header?
At 10:25 AM +0530 9/25/01, lokesh wrote:
As noted, ESP coverage of selected header fields would increase complexity and reduce performance. It also would create even more circumstances where NAT could interfere with IPsec use. Today, using ESP in tunnel mode can be made to work with NAT, but if the outer S/D IP addresses were covered, that capability (I hesitate to call it a feature) would go away.
 
Steve,
 
As for as I know, in  many implementations, NAT is done prior to ipsec processing at the sending end, and Ipsec processing is done before NAT at the receiving end.
Are there situvations where NAT would interfere in ipsec processing ? if so, kindly will you brief them?
 
Assuming there will be situations where NAT will interfere with IPsec processing, how AH in transport mode will work there?

I get the feeling that you have not been reading this list for very long.

Yes, a combined IPsec/NAT implementation in a security gateway avoids the problems I cited. The NAT problems I refer to arise when NAT takes place at a device that is between the IPsec implementation and the Internet. For example, I am in a hotel room in London now and if I had IPsec on my laptop, it would have to deal with the NAT box that the hotel has deployed. Same problem arises in many cable modem nets, and for desktop IPsec implementations in corporate environments where NAT is performed at the gateway/firewall.

Steve

Follow-Ups: References: