Firewall Wizards mailing list archives
Re: NAT
From: Rick Smith <rick_smith () securecomputing com>
Date: Wed, 17 Jun 1998 11:34:15 -0500
At 11:23 AM 6/14/98 -0700, Ryan Russell wrote:
Does the instance where IPSec worked when NATted point out a broken or incomplete implementation, then?
On Sidewinder, at least, the NAT activity is irrelevant to IPSEC behavior. When leaving the internal (address translated) network, the addresses are swapped before packets are handed to IPSEC for crypto processing. Encrypted packets from the outside world are decrypted and then each packet's IP address gets changed before being dropped on the internal LAN. The same security association is used for all NATed traffic between a pair of IPSEC gateways. Protocol engineering issues encourage using the same security association for all traffic between a pair of IPSEC hosts. If we have Bob and Emily in behind Firewall A, with Alice and Carl behind Firewall B, then the traffic between Bob and Alice can be proxied through the same security association as the traffic between Emily and Carl. There's no significant problem with this if you're doing authentication on the IPSEC packets.
too well defined, and not very workable. Only works for a single proxy, too.
Don't understand what you mean, except to agree that there are lots of things that aren't too well defined. Crypto is relatively new technology when it comes right down to it. Several years back Steve Kent told me he thought this approach to crypto (network level protection) was fundamentally impractical. But here we are trying to make it work.
I'm not clear on your Sidewinder example... Packets coming in from the VPN client get decrypted on the gateway in either case.. When the endpoint is the gateway itself...where does it get the final destination address.. unless it's in tunnel mode. When the destination is "inside" past the gateway.. does the gateway change the source address of the packet to be itself, or does the inside machine think it's being connected to from all the way out in the Internet?
If an inside machine is the final destination and we're doing NAT, then the mapping between inside and outside addresses is via a database within Sidewinder. I'm not sure there's another way to make NAT work than that. If we're not doing NAT and we're in tunnel mode, then the obvious things happen. Rick. smith () securecomputing com
Current thread:
- NAT Appel, John (Jun 11)
- <Possible follow-ups>
- RE: NAT Burden, James (Jun 12)
- Re: NAT Tina Bird (Jun 13)
- Re: NAT Ryan Russell (Jun 15)
- Re: NAT Rick Smith (Jun 17)
- RE: NAT Burden, James (Jun 16)
- Re: NAT Tina Bird (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
- Re: NAT Rick Smith (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
- Re: NAT Ryan Russell (Jun 17)