[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re[2]: IPSEC and NAT
From:       pcalhoun () usr ! com
Date:       1997-08-19 13:51:50
[Download RAW message or body]

The problem you run into is that the initiator of the packet is 
     changed by the NAT. 
     
     For those of you who do not know what NAT does, it is very simple. 
     Imagine a box which has ONE valid Internet address on one side, and a 
     whole private network on the other (say NET10). When a packet is 
     initiated on the private network, the NAT changes the address to it's 
     public address, and changes the port number to one that is currently 
     un-used by the NAT (it also records the port number to reference the 
     real initiator of the packet's address and port). It then sends out 
     the packet to the internet.
     
     Once the packet is received by the target host, it would assume that 
     it needs to setup an SA with the NAT instead of with a host with a 
     private address (which has been changed by the NAT). Since the NAT was 
     not the initiator of the ISAKMP exchange there is alot of confusion. 
     One REALLY STUPID way of doing it is to share the private/public keys 
     between the host and the NAT (I DO NOT RECCOMEND YOU TO DO THIS AT 
     HOME). An alternative is for the NAT to run in tunnel mode on behalf 
     of the initiator (but this assumes that the initiator trusts the NAT, 
     which it probably does not).
     
     So, this is the problem. I am anxious to hear of some solutions to get 
     around this limitation.
     
     PatC
     
     PS: For the record, I also dislike writing protocols around NAT.


______________________________ Reply Separator _________________________________
Subject: Re: IPSEC and NAT
Author:  hsw@columbia.sparta.com (Howard Weiss) at Internet
Date:    8/19/97 9:21 AM


> 
>        Has there been any discussion on using IPSEC in conjuction
>        with Network Address Translation devices?  In particular, I'm 
>        having problems using Sun's SKIP Source Release 1.0 on a host 
>        behind an Ascend P-50 that's doing address translation.
> 
>        Any suggestions would be appreciated. 
> 
> The subject came up at the NAT BoF at the Munich IETF meeting last week. 
> Basically, you can't do IPSEC through a NAT box.  You have to terminate 
> the security association at the NAT box, and -- if you want -- create
> a new security association from the box to the end system. 
> 
> The point is simple:  IPSEC guards against tampering with the packet, 
> and NAT boxes by definition tinker with at least the addresses.
> 
     
Couldn't one tunnel through a NAT?
     
     
-- 
 ___________________________________________________________________
|                                                                   | 
|Howard Weiss                        phone (410) 381-9400 x201      | 
|SPARTA, Inc.                              (301) 621-8145 x201 (DC) | 
|9861 Broken Land Parkway, suite 300 fax:  (410) 381-5559           | 
|Columbia, MD 21046                  email: hsw@columbia.sparta.com | 
|___________________________________________________________________|
["RFC822 message headers" (text/plain)]

Received: from usr.com (mailgate.usr.com) by robogate2.usr.com with SMTP
  (IMA Internet Exchange 2.02 Enterprise) id 3F9A1280; Tue, 19 Aug 97 08:35:36
-0500
Received: from portal.ex.tis.com by usr.com (8.7.5/3.1.090690-US Robotics)
	id IAA00016; Tue, 19 Aug 1997 08:12:29 -0500 (CDT)
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id
JAA21110 for ipsec-outgoing; Tue, 19 Aug 1997 09:11:51 -0400 (EDT)
From: hsw@columbia.sparta.com (Howard Weiss)
Message-Id: <9708191321.AA03146@katahdin.columbia.sparta.com>
Subject: Re: IPSEC and NAT
To: smb@research.att.com (Steven Bellovin)
Date: Tue, 19 Aug 1997 09:21:11 -0400 (EDT)
Cc: dave@tlogic.com, ipsec@tis.com
In-Reply-To: <199708191136.HAA04781@raptor.research.att.com> from "Steven
Bellovin" at Aug 19, 97 07:36:45 am
Organization: SPARTA Inc. (Secure Systems Engineering Division)
Usmail: 9861 Broken Land Parkway, Suite 300, Columbia MD 21046
Phone: (410) 381-9400 x201
Fax:   (410) 381-5559
X-Mailer: ELM [version 2.4PL24 PGP3 ALPHA]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@ex.tis.com
Precedence: bulk


[prev in list] [next in list] [prev in thread] [next in thread]