> -----Original Message-----
> From: Samuel Patton [mailto:[EMAIL PROTECTED]]
> Sent: Monday, 12 February 2001 2:01
> To: Ben Nagy
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: VPN technology
>
>
> > > A slight correction. IPSec is also NATable if you are
> not using the
> > > Authentication Header (AH). Use of AH or AH/ESP mode through NAT
> > >breaks because NAT packet mangling makes HMAC checksums calculate
> > >to an incorrect value. (See RFC 2709)
>
> <Ben Nagy wrote>
> > Um, and if your auth is not based on IP addresses, and if
> you're not doing
> > PAT, and if the moon is in Jupiter, preferably waxing.
>
> Ouch, he comes out with no gloves on.
This wasn't meant to be a flame - just a correction-correction. You'd know
if I had the gloves off. >;)
> I will address this
> response in two
> portions.
>
> 1) I am fairly certian that use of heavenly bodies as
> premises to arguments
> is "off topic for this list."
But that's OK, since so are VPNs. I have, in the past, used baking cakes,
buses, aquatic mammals, carnivorous fish and no doubt even stranger things
that I've forgotten. I'm sure that I'm allowed some leeway, since...
> 2) Ben is right.
;)
> The circumstances in which IPSec/NAT are
> implemented may
> be dependant on several
> variables and thus limit the circumstances it can/should be
> used. So I will
> further qualify my previous statement a bit more as
> I am still a bit sore from the slap in the face from Ben.
> IPSec/NAT is
> supported. From a security perspective, implementation
> of IPSec/NAT will not support AH for integrity/authenticity
> protection.
> From a reality standpoint, IPSec/NAT is around in
> a large number of environments.
I don't want to think about the hideous tricks people are using to make it
work, though. I quite like the work done by a few people to produce "NAT
transparent" IPsec, using an extra UDP encapsulation. Other than that, the
best practice recommendation still remains to NAT before putting things into
an IPSec tunnel. I'd (personally) much rather steer people into
implementation choices that are likely to Just Work, and will be supportable
and intuitive. IPSec ESP with NAT and Fairy Dust doesn't fall into those
categories, despite that fact that there are a couple of situations in which
it will work.
> Best Regards,
>
> Sam
Again - this is NOT a flame. Honest.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
