> This isn't just a Solaris issue. NAT-Traversal CAN'T
> work with AH, given
> what parts of the IP header AH protects. NAT's a
> hostile entity as far as AH
> is concerned. (Can you blame AH? ;)
That is my understanding too.
> If you're separating two sites, you need tunnels
> anyway. And if you're using
> tunnels, why do you need AH? What problem do you
> think AH will solve that
> ESP won't in this case?
For what I understand, ESP just encrypts the packet payload, but it is AH that
guarantees that the packet headers or the payload aren't tampered with in
transit.
Unless I misunderstood, it is theoretically possible for a malicious third
party to modify the packets in transit with a completely different encapsulated
security payload, or even completely replace packets, since there would be no
AH to check the packet's integrity?
On top of that, I read somewhere (could be docs.sun.com or wikipedia) that use
of ESP without AH is strongly discouraged.
> It's REALLY hard to have NATs between *both* sides of
> communicating peers.
Well, it's not like I have a choice. When one has two firewalls, one must NAT
to the external IP addresses of those.
> Are you saying that the NAT is ALSO the IPsec
> gateway? If it is, you may not
> have to worry about NAT in that case. You should
> draw some ASCII pictures
> for the audience -- it'll help.
Yes. The firewalls would be IPSec gateways. Absolutely.
Like this:
+------+ +---------+
LAN A | |1st NAT | ADSL |2nd NAT
---------+ FW A +---------+ "modem" +----------------+
| |priv. | |ext. IP addess |
+------+IP +---------+ |
|
3rd NAT |ext. IP address
+---+--+
| |
| FW B |
| |
+--+---+
|
| LAN B
|
This message posted from opensolaris.org
