[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec
Subject:    Re: IPSEC and NAT
From:       Yan-Fa LI <yanfali () hpcc103 ! corp ! hp ! com>
Date:       1997-08-19 20:36:18
[Download RAW message or body]


A couple of questions to wiser minds, but...

Why do NAT in a central location ?  One of the things I really dislike
about NAT is that sometimes it has to get involved at the application
layer to fix certain protocols, e.g.  FTP.  This slows everything down
if the IPSec/NAT has to snoop every packet looking for TCP port 21 and
PORT strings.  Isn't the IPSec gateway complex enough without
introducing NAT ?

Why not push the problem out to the individual hosts ?  Have the hosts
have virtual network interfaces that appear to be on the
Internal/Virtual network, just like PPP.  This avoids many of the
inherent problems of NAT.  I remember that Bellovin and Cheswick wrote a
paper on just this idea some years ago.

Just my $0.02

Y

 ___________________________________________________________________ 
| Bio-Routing:               | Electronic Connectivity:             |
|                            |                                      |
| Yan-Fa LI (TIS TR)         | Phone:    ( +1 ) - 415 424 3680      |
| Hewlett-Packard Company    | Fax:      ( +1 ) - 415 424 3632      |
| Mail Stop: 20CX            |                                      |
| 3000 Hanover Street,       | Telnet:   424 - 3680                 |
| Palo Alto, CA 94304        | Email:    yanfali@corp.hp.com        |
| USA                        |                                      |
|____________________________|______________________________________|

[prev in list] [next in list] [prev in thread] [next in thread]