[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: using ip-based cert. in NAT-T





> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Mohammad Awad
> 
> Neither the internal IPs nor their certificates can be registered in
the
> DNS. This makes the other peer which is negotiating IKE main mode with
the
> NATed host, uses a certificate with subject rather than the IP to (may
be
> FQDN) to authenticate the NATed host, which may be less secure.
> What if the internal hosts behind the NAT can -somehow- register their
> certificates in the DNS with an approach like this:
> Each NATed host will be provided an identifier that is unique amongst
the
> NATed hosts behind one NAT (ie, those hosts having the same external
IP).
> This NAT-ID will be included in the options fields of the IP header of
the
> NATed packet. Another RR.s in the DNS are to be added, with extensions
to
> hold that NAT-ID, one RR record for each NATed host.
> Then the certificates can be registered in that RR NAT record and used
by
> the remote peer to obtain the certificate of the NATed host.
> how do you find that approach?
> 
> 

Something very similar has been tried by us and it did not work. Most
ISPs drop packets with unknown IP options and some very large ISPs drop
any packet with IP options. 

Regards,
Jayant
www.trlokom.com