Firewall Wizards mailing list archives

Re: NAT

From: Rick Smith <rick_smith () securecomputing com>
Date: Wed, 17 Jun 1998 11:34:15 -0500

At 11:23 AM 6/14/98 -0700, Ryan Russell wrote:


Does the instance where IPSec worked when NATted
point out a broken or incomplete implementation, then?


On Sidewinder, at least, the NAT activity is irrelevant to IPSEC behavior.
When leaving the internal (address translated) network, the addresses are
swapped before packets are handed to IPSEC for crypto processing. Encrypted
packets from the outside world are decrypted and then each packet's IP
address gets changed before being dropped on the internal LAN. The same
security association is used for all NATed traffic between a pair of IPSEC
gateways.

Protocol engineering issues encourage using the same security association
for all traffic between a pair of IPSEC hosts. If we have Bob and Emily in
behind Firewall A, with Alice and Carl behind Firewall B, then the traffic
between Bob and Alice can be proxied through the same security association
as the traffic between Emily and Carl. There's no significant problem with
this if you're doing authentication on the IPSEC packets.

too well defined, and not very workable.  Only works for
a single proxy, too.


Don't understand what you mean, except to agree that there are lots of
things that aren't too well defined. Crypto is relatively new technology
when it comes right down to it. Several years back Steve Kent told me he
thought this approach to crypto (network level protection) was
fundamentally impractical. But here we are trying to make it work.

I'm not clear on your Sidewinder example... Packets
coming in from the VPN client get decrypted on
the gateway in either case.. When the endpoint
is the gateway itself...where does it get the final destination
address.. unless it's in tunnel mode.  When the destination
is "inside" past the gateway.. does the gateway change the
source address of the packet to be itself, or does the inside
machine think it's being connected to from all the way out in
the Internet?


If an inside machine is the final destination and we're doing NAT, then the
mapping between inside and outside addresses is via a database within
Sidewinder. I'm not sure there's another way to make NAT work than that. If
we're not doing NAT and we're in tunnel mode, then the obvious things happen.

Rick.
smith () securecomputing com

Current thread:

NAT Appel, John (Jun 11)
- <Possible follow-ups>
- RE: NAT Burden, James (Jun 12)
  - Re: NAT Tina Bird (Jun 13)
- Re: NAT Ryan Russell (Jun 15)
  - Re: NAT Rick Smith (Jun 17)
- RE: NAT Burden, James (Jun 16)
  - Re: NAT Tina Bird (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
  - Re: NAT Rick Smith (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
  - Re: NAT Rick Smith (Jun 17)
  - Re: NAT Paul Sangster (Jun 18)
- Re: NAT Ryan Russell (Jun 17)