[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: IPSEC and NAT
From:       Steven Bellovin <smb () research ! att ! com>
Date:       1997-08-19 11:36:45
[Download RAW message or body]

	 Has there been any discussion on using IPSEC in conjuction
	 with Network Address Translation devices?  In particular, I'm
	 having problems using Sun's SKIP Source Release 1.0 on a host
	 behind an Ascend P-50 that's doing address translation.

	 Any suggestions would be appreciated.

The subject came up at the NAT BoF at the Munich IETF meeting last week.
Basically, you can't do IPSEC through a NAT box.  You have to terminate
the security association at the NAT box, and -- if you want -- create
a new security association from the box to the end system.

The point is simple:  IPSEC guards against tampering with the packet,
and NAT boxes by definition tinker with at least the addresses.

[prev in list] [next in list] [prev in thread] [next in thread]