----- Original Message -----
Sent: Tuesday, September 25, 2001 6:13
PM
Subject: Re: Why can't ESP authenticate
IP header?
At 10:25 AM +0530 9/25/01, lokesh wrote:
As noted, ESP coverage of selected header fields would
increase complexity and reduce performance. It also would create even more
circumstances where NAT could interfere with IPsec use. Today, using ESP
in tunnel mode can be made to work with NAT, but if the outer S/D IP
addresses were covered, that capability (I hesitate to call it a feature)
would go away.
Steve,
As for as I know, in many
implementations, NAT is done prior to ipsec processing at the sending end,
and Ipsec processing is done before NAT at the receiving
end.
Are there situvations where NAT would
interfere in ipsec processing ? if so, kindly will you brief
them?
Assuming there will be situations
where NAT will interfere with IPsec processing, how AH in transport mode
will work there?
I get the feeling that you have not been reading this list for very long.
Yes, a combined IPsec/NAT implementation in a security gateway avoids the
problems I cited. The NAT problems I refer to arise when NAT takes place at a
device that is between the IPsec implementation and the Internet. For example,
I am in a hotel room in London now and if I had IPsec on my laptop, it would
have to deal with the NAT box that the hotel has deployed. Same problem arises
in many cable modem nets, and for desktop IPsec implementations in corporate
environments where NAT is performed at the gateway/firewall.
Steve,
yes , I have subscribed it very recently,
in such scenarios, as the one you mention above,
I think AH in transport mode should not be used right?
Thanks
-Lokesh