Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Robert Moskowitz <rgm-ietf@htt-consult.com> Wed, 01 April 1998 07:00 UTC
Delivery-Date: Wed, 01 Apr 1998 02:01:26 -0500
Return-Path: adm
Return-Path: <adm>
Received: by ietf.org.ietf.org (SMI-8.6/SMI-SVR4) id CAA02517; Wed, 1 Apr 1998 02:00:03 -0500
Received: from homebase.htt-consult.com (homebase.htt-consult.com [208.235.169.130]) by ns.ietf.org (8.8.5/8.8.7a) with ESMTP id BAA01050 for <ietf@ns.ietf.org>; Wed, 1 Apr 1998 01:32:47 -0500 (EST)
Received: from ietf-11-175 ([198.94.11.175]) by homebase.htt-consult.com (Netscape Mail Server v2.02) with SMTP id AAC317; Wed, 1 Apr 1998 01:32:39 -0500
Message-Id: <3.0.5.32.19980331145815.00a1d2b0@homebase.htt-consult.com>
X-Sender: rgm-ietf@homebase.htt-consult.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 31 Mar 1998 14:58:15 -0800
To: perry@piermont.com, "Howard C. Berkowitz" <hcb@clark.net>
From: Robert Moskowitz <rgm-ietf@htt-consult.com>
Subject: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Cc: Stephen Kent <kent@bbn.com>, ietf@ns.ietf.org
In-Reply-To: <199803311959.OAA17555@jekyll.piermont.com>
References: <Your message of "Tue, 31 Mar 1998 14:08:38 EST." <v0300780fb146a6dbf983@[142.154.136.3]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
content-length: 842
At 02:59 PM 3/31/98 -0500, Perry E. Metzger wrote: > >Because "trusted NAT", meaning "share your encryption keys with your >routers" is like "military intelligence" or "congressional >oversight", perhaps? In some cases, there can be a trusted NAT. This is a system setup for this task only, not a bunch of other firewallish and NAT stuff to limit risks. In many of these cases, there might be an ESP gw-gw tunnel and within it a NULL-ESP end-end transport within. But ESP transport cannot be NATed, as the TCP checksum is in the ESP frame and the IP addresses are not. So it would have to be NULL-ESP end-end tunnel. BTW, this is valuable to protect your connection over the internet, but to know who the actual end party is in an inter-enterprise environment (where it is unwise to trust IP addresses as gw-gw tends to result with).
- Re: Last Call: Security Architecture for the Inte… Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Inte… Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Inte… C. Harald Koch
- Re: Last Call: Security Architecture for the Inte… Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Inte… Robert Moskowitz