[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
using ip-based cert. in NAT-T
Neither the internal IPs nor their certificates can be registered in the
DNS. This makes the other peer which is negotiating IKE main mode with the
NATed host, uses a certificate with subject rather than the IP to (may be
FQDN) to authenticate the NATed host, which may be less secure.
What if the internal hosts behind the NAT can -somehow- register their
certificates in the DNS with an approach like this:
Each NATed host will be provided an identifier that is unique amongst the
NATed hosts behind one NAT (ie, those hosts having the same external IP).
This NAT-ID will be included in the options fields of the IP header of the
NATed packet. Another RR.s in the DNS are to be added, with extensions to
hold that NAT-ID, one RR record for each NATed host.
Then the certificates can be registered in that RR NAT record and used by
the remote peer to obtain the certificate of the NATed host.
how do you find that approach?
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com