[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

using ip-based cert. in NAT-T

To: ipsec@lists.tislabs.com
Subject: using ip-based cert. in NAT-T
From: "Mohammad Awad" <maa1074@hotmail.com>
Date: Sat, 28 Sep 2002 21:58:18 +0200
Sender: owner-ipsec@lists.tislabs.com

Neither the internal IPs nor their certificates can be registered in the 
DNS. This makes the other peer which is negotiating IKE main mode with the 
NATed host, uses a certificate with subject rather than the IP to (may be 
FQDN) to authenticate the NATed host, which may be less secure.
What if the internal hosts behind the NAT can -somehow- register their 
certificates in the DNS with an approach like this:
Each NATed host will be provided an identifier that is unique amongst the 
NATed hosts behind one NAT (ie, those hosts having the same external IP). 
This NAT-ID will be included in the options fields of the IP header of the 
NATed packet. Another RR.s in the DNS are to be added, with extensions to 
hold that NAT-ID, one RR record for each NATed host.
Then the certificates can be registered in that RR NAT record and used by 
the remote peer to obtain the certificate of the NATed host.
how do you find that approach?




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

Follow-Ups:
- RE: using ip-based cert. in NAT-T
  - From: "Jayant Shukla" <jshukla@trlokom.com>

Prev by Date: Re: Periodic certificate validation check
Next by Date: RE: using ip-based cert. in NAT-T
Prev by thread: using ip-based cert. in NAT-T
Next by thread: RE: using ip-based cert. in NAT-T
Index(es):
- Date
- Thread