/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
On Sat, 21 Aug 1999, gokul wrote:
> 1)Is there any difference between NAT and IP Masquerading ......this
> question stems from the fact that CISCO calls its router as a NAT box
NAT is one-to-one, Masq is many-to-one. In other words, in masq all of
the system behind the gateway appear to be the gateway - many systems
appear to be one. In NAT, for each system behind the gateway you need
a separate IP address on the outside of the gateway - one IP address
outside the gateway is translated to one IP address inside the
gateway.
> 2)How does Ip Masq use firewalling s/w so that the network becomes
> more secure? How is masquerading better than conventional
> firewalling ?
It's not an either-or situation. Masq is "diddling with the IP
addresses". Firewalling is "should this traffic be permitted?" Masq is
generally used to improve access and isn't per se a security tool,
though *which* traffic is masqueraded is subject to firewall rules
and local security policy. Also, if the local network addresses are
assigned from one of the non-routable private address spaces, the
systems behind the gateway are that much less exposed to the Internet
at large.
> 3)Is there any scope for Ip Masq once IP v6 is implemented?
IPv6 should make masq largely unneeded. The address space in IPv6 is
*much* larger and is divided up differently, such that the IPv6
address you get from your ISP would probably actually be an address
*space* of (say) 256 addresses.
> 4)how are the various modifications made to IP address,IPchecksum,TCP
> checksum....etc
On outbound packets the source IP address and source TCP/UDP port is
modified to make the traffic appear to come from the masq gateway. On
inbound packets the destination IP address and destination TCP/UDP
port is modified to route the traffic back to the original host.
IP, TCP and UDP checksums are recalculated after this processing.
In addition, TCP and UDP protocols where address or port information
is in the payload require special protocol-aware handlers (e.g.
ip_masq_ftp) that understand the protocol and can modify this embedded
information such that data transfer still takes place.
Other protocols (such as IPsec) require special handling.
--
John Hardin KA7OHZ [EMAIL PROTECTED]
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Efficiency can magnify good, but it magnifies evil just as well.
So, we should not be surprised to find that modern electronic
communication magnifies stupidity as *efficiently* as it magnifies
intelligence.
-- Robert A. Matern
-----------------------------------------------------------------------
19 days until 9/9/99
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
