[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec
Subject: Re: IPSEC and NAT
From: Steven Bellovin <smb () research ! att ! com>
Date: 1997-08-19 11:36:45
[Download RAW message or body]
Has there been any discussion on using IPSEC in conjuction
with Network Address Translation devices? In particular, I'm
having problems using Sun's SKIP Source Release 1.0 on a host
behind an Ascend P-50 that's doing address translation.
Any suggestions would be appreciated.
The subject came up at the NAT BoF at the Munich IETF meeting last week.
Basically, you can't do IPSEC through a NAT box. You have to terminate
the security association at the NAT box, and -- if you want -- create
a new security association from the box to the end system.
The point is simple: IPSEC guards against tampering with the packet,
and NAT boxes by definition tinker with at least the addresses.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic