Firewall Wizards mailing list archives
Re: NAT
From: Rick Smith <rick_smith () securecomputing com>
Date: Wed, 17 Jun 1998 16:03:51 -0500
At 12:01 PM 6/17/98 -0700, Ryan Russell wrote:
I'm under the impression that if the IP header of an IPSec packet gets modified, the packet will get rejected because IP addresses are part of what's checked for in authentication mode. I'm also assuming that authentication mode is wanted/needed when doing VPN applications.
I haven't looked at the current implementation, but older NAT versions on Sidewinder would modify port numbers in the TCP or UDP header as well as IP addresses. You're right: nothing works once you apply IPSEC to NATted data.
The problem I'm concerned with is remote-access type VPN applications. This is where I send users running around the world with a piece of software on their laptops, and they get whatever kind of Internet access they can. This would include sitting on someone else's net, and going out through their firewall. I think the IPSec method of transport is going to have limited value in those situations, and we'll need something simpler for a transport, like a TCP connection.
This is a policy problem first and a technology problem second. The visitor is trying to treat the hosting site like an ISP, and that's not always appropriate. The host site might not want an outsider generating encrypted data streams inside their network and shooting them through the door at high speed. Rick. smith () securecomputing com
Current thread:
- NAT Appel, John (Jun 11)
- <Possible follow-ups>
- RE: NAT Burden, James (Jun 12)
- Re: NAT Tina Bird (Jun 13)
- Re: NAT Ryan Russell (Jun 15)
- Re: NAT Rick Smith (Jun 17)
- RE: NAT Burden, James (Jun 16)
- Re: NAT Tina Bird (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
- Re: NAT Rick Smith (Jun 17)
- Re: NAT Ryan Russell (Jun 17)
- Re: NAT Rick Smith (Jun 17)
- Re: NAT Paul Sangster (Jun 18)
- Re: NAT Ryan Russell (Jun 17)