RE: Thomas Narten's DISCUSS vote
Stephen Waters <Stephen.Waters@digital.com> Wed, 27 May 1998 10:31 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id GAA19971 for ipsec-outgoing; Wed, 27 May 1998 06:31:07 -0400 (EDT)
Message-ID: <250F9C8DEB9ED011A14D08002BE4F64C01959155@wade.reo.dec.com>
From: Stephen Waters <Stephen.Waters@digital.com>
To: Steve Bellovin <smb@research.att.com>
Cc: ipsec@tis.com
Subject: RE: Thomas Narten's DISCUSS vote
Date: Wed, 27 May 1998 11:43:03 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.1960.3)
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
NAT is a many-flavoured thing. I can think of a couple of useful NAT setups while using IPSEC: 1) Hosts are armed with IPSEC and use transport mode to chat. When a security gateway gets in the way, this transport mode ESP packet will need to be re-ESPed with tunnel mode. If a remote site is using a private numbering scheme (private in that it is not part of the companies Intranet address space), NAT will need to be applied to the IP header on the host's packet before it is tunneled: Host 10.1.1.1------ SG1-----Internet----SG2-------Home LAN 17.0.0.0 In this example, SG1 will have allocated (dynamically or statically) and address from the 17.0.0.0 numbering plan. This Intranet address will then need to be imposed on any packets carrying 10.1.1.1 that SG1 forwards. Once the NAT function has been performed on the 'LAN' side of SG1, the packet will need to be tunneled (EPS tunnel) over the Internet. If you are using a new-style VPN carrier with whom you share your address space, the tunnel may not be needed (depending of whether you wish to enforce encryption or not). In this configuration, it is a MUST to NOT use AH on the hosts. There is nothing stopping the SGs using AH to protect the tunneled packet's outer IP header. 2) As for 1), but hosts have no IPSEC This is the same as 1) as far as the SGs are concerned: map the host's address and tunnel using any transport you fancy. These two examples use NAT to translate between Intranet addresses and local/private adresses. NAT can of course be used to translate between Internet addresses and Intranet/local addresses, but IPSEC is unlikely to be involved. NAT could be quite useful at a SOHO site. If you model a SOHO site as a remote-access client (say using dial-in ISDN to connect to the Internet), then you can use the same dynamic address assignment techniques as for a remote laptop and allow the SOHO router to NAT the address for the various systems on the SOHO LAN. Probably all discussed to death elsewhere, but It may help - provided I'm right :) Cheers, Steve. -----Original Message----- From: Steve Bellovin [SMTP:smb@research.att.com] Sent: Tuesday, May 26, 1998 3:34 PM To: Theodore Y. Ts'o Cc: ipsec@tis.com Subject: Re: Thomas Narten's DISCUSS vote The text is valid; ESP includes integrity protection, although ESP doesn't cover the IP header. In the new IPSEC scheme, it is extremely unlikely that someone will use both ESP and AH. ESP-NULL provides no data confidentiality, but it does provide integrity over the packet data (but not of the IP headers), thus allowing NAT boxes to muck with the IP headers. Whether or not this is a horrible abstraction violation is besides the point; if the goal is to allow NAT boxes to work, while still providing data integrity services for the packet contents, ESP NULL is one way of accomplishing that goal. The objection is valid -- because of the transport checksum, which is protected by ESP-NULL's integrity algorithm, the IP addresses can't be tinkered with in a useful fashion. (Well, I suppose that a NAT box could change the source port number to offset the changes to the addresses -- but I don't really regard that as useful...) ESP-NULL has a lot of advantages -- but enabling NAT isn't one of them. (Well, I suppose that one could argue that defeating NAT is itself a nice feature, but that's out of bounds for this WG...)
- Re: Thomas Narten's DISCUSS vote Gabriel.Montenegro
- Thomas Narten's DISCUSS vote Theodore Y. Ts'o
- Re: Thomas Narten's DISCUSS vote Vipul Gupta
- Re: Thomas Narten's DISCUSS vote Gabriel.Montenegro
- Re: Thomas Narten's DISCUSS vote Vach Kompella
- Re: Thomas Narten's DISCUSS vote Steve Bellovin
- Re: Thomas Narten's DISCUSS vote Hilarie Orman
- Re: Thomas Narten's DISCUSS vote Thomas Narten
- RE: Thomas Narten's DISCUSS vote Stephen Waters
- Re: Thomas Narten's DISCUSS vote Pyda Srisuresh