|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: NAT
Rick Smith (rick_smith
securecomputing.com)
Wed, 17 Jun 1998 11:34:15 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Rick Smith: "Re: FW: CISCO PIX Vulnerability"
- Previous message: McClure, Allen: "Firewall 1 - cryptlog_crypt"
- Next in thread: Rick Horne: "Re: NAT"
At 11:23 AM 6/14/98 -0700, Ryan Russell wrote:
>
>Does the instance where IPSec worked when NATted
>point out a broken or incomplete implementation, then?
On Sidewinder, at least, the NAT activity is irrelevant to IPSEC behavior.
When leaving the internal (address translated) network, the addresses are
swapped before packets are handed to IPSEC for crypto processing. Encrypted
packets from the outside world are decrypted and then each packet's IP
address gets changed before being dropped on the internal LAN. The same
security association is used for all NATed traffic between a pair of IPSEC
gateways.
Protocol engineering issues encourage using the same security association
for all traffic between a pair of IPSEC hosts. If we have Bob and Emily in
behind Firewall A, with Alice and Carl behind Firewall B, then the traffic
between Bob and Alice can be proxied through the same security association
as the traffic between Emily and Carl. There's no significant problem with
this if you're doing authentication on the IPSEC packets.
>too well defined, and not very workable. Only works for
>a single proxy, too.
Don't understand what you mean, except to agree that there are lots of
things that aren't too well defined. Crypto is relatively new technology
when it comes right down to it. Several years back Steve Kent told me he
thought this approach to crypto (network level protection) was
fundamentally impractical. But here we are trying to make it work.
>I'm not clear on your Sidewinder example... Packets
>coming in from the VPN client get decrypted on
>the gateway in either case.. When the endpoint
>is the gateway itself...where does it get the final destination
>address.. unless it's in tunnel mode. When the destination
>is "inside" past the gateway.. does the gateway change the
>source address of the packet to be itself, or does the inside
>machine think it's being connected to from all the way out in
>the Internet?
If an inside machine is the final destination and we're doing NAT, then the
mapping between inside and outside addresses is via a database within
Sidewinder. I'm not sure there's another way to make NAT work than that. If
we're not doing NAT and we're in tunnel mode, then the obvious things happen.
Rick.
smithsecurecomputing.com
- Next message: Rick Smith: "Re: FW: CISCO PIX Vulnerability"
- Previous message: McClure, Allen: "Firewall 1 - cryptlog_crypt"
- Next in thread: Rick Horne: "Re: NAT"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:22 CDT