[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: IPSEC and NAT
From:       Robert Moskowitz <rgm3 () chrysler ! com>
Date:       1997-08-19 12:06:45
[Download RAW message or body]

At 05:11 PM 8/18/97 -0400, David Aylesworth wrote:
>Has there been any discussion on using IPSEC in conjuction with Network  
>Address Translation devices?  In particular, I'm having problems using
Sun's  
>SKIP Source Release 1.0 on a host behind an Ascend P-50 that's doing
address  
>translation.
>
I have done extensive review of address translation and IPsec.  I am
preparing an Internet draft covering 16 different NAT senarios for network
to network and 4 senarios with 3 road warrior variants for single system to
network NAT.  All of these only address a single IPsec tunnel.  I have YET
to tackle multiple tunnels in this format, which I believe will be VERY
important.  One thing at a time...

A number of people have seen my senarios and I have not gotten any
negatives on them.  As Steve mentioned, the translation occurs before the
packet enter the tunnel or after they emerge.  I hsve learned that many
IPsec vendors cannot 'couple' their IPsec and NAT functions together.  I
suspect that this will change quickly.  This is one of the important items
I want to see tested at the upcoming AIAG sponsered IPsec workshop, as NAT
is a real world reality (from a co-author of RFC 1918).




Robert Moskowitz
Chrysler Corporation
(810) 758-8212

[prev in list] [next in list] [prev in thread] [next in thread]