Re: NAT

[Rick Smith <rick_smith () securecomputing com>]

At 12:01 PM 6/17/98 -0700, Ryan Russell wrote:

> I'm under the impression that if the IP header of an IPSec packet
> gets modified, the packet will get rejected because IP addresses
> are part of what's checked for in authentication mode.  I'm also
> assuming that authentication mode is wanted/needed when doing
> VPN applications.

I haven't looked at the current implementation, but older NAT versions on
Sidewinder would modify port numbers in the TCP or UDP header as well as IP
addresses. You're right: nothing works once you apply IPSEC to NATted data.

> The problem I'm concerned with is remote-access type VPN
> applications.  This is where I send users running around the world
> with a piece of software on their laptops, and they get whatever
> kind of Internet access they can.  This would include sitting
> on someone else's net, and going out through their firewall.
> I think the IPSec method of transport is going to have limited
> value in those situations, and we'll need something simpler
> for a transport, like a TCP connection.

This is a policy problem first and a technology problem second. The visitor
is trying to treat the hosting site like an ISP, and that's not always
appropriate. The host site might not want an outsider generating encrypted
data streams inside their network and shooting them through the door at
high speed.

Rick.
smith () securecomputing com