[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Towards closure on NAT traversal.

To: "'Greg Bailey'" <greg@minerva.com>, <ipsec@lists.tislabs.com>
Subject: RE: Towards closure on NAT traversal.
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Sun, 3 Mar 2002 09:18:34 -0800
Cc: "'ark-gvb-x'" <ark-gvb-x@minerva.com>
Importance: Normal
In-Reply-To: <NDBBIFGOMIAFPGLCLPMIKEELCKAA.greg@minerva.com>
Sender: owner-ipsec@lists.tislabs.com



> 
> I would submit FTP as a proof of existence of insoluble problems in
> *transparently* traversing a NAT with IPSec.
> 

This problem has been solved. I specifically mentioned this case at the
San Diego meeting. Wait for our ID for a more detailed description. 


> Even adding Security Gateway code to a NAT, which in many respects
> would seem the best form of "IPSec pass-through", would still leave

I don't think adding Security Gateway code to the NAT is a good
solution. It makes IPsec not scalable and does not provide end-to-end
security. 

> 
> How long a list of exceptions can any "solution" to this charter
> item tolerate and still deserve to be called a solution?
>

The problem is that if a NAT traversal solution does not take into
account everything a NAT box does, it will always have to deal with
exceptions. If the solution lets the NAT box do its job, you won't have
to deal with exceptions. 


Regards,
Jayant
www.trlokom.com  


 
>     Greg Bailey     |  ATHENA Programming, Inc  |  503-295-7703  |
>   ----------------  |  310 SW 4th Ave  Ste 530  |  fax 295-6935  |
>   greg@minerva.com  |  Portland, OR  97204  US  |
> 
> 
>

References:
- RE: Towards closure on NAT traversal.
  - From: "Greg Bailey" <greg@minerva.com>

Prev by Date: RE: NAT Traversal
Next by Date: Re: NAT Traversal
Prev by thread: RE: Towards closure on NAT traversal.
Next by thread: RE: Towards closure on NAT traversal.
Index(es):
- Date
- Thread