ietf
[Top] [All Lists]

IETF network & VPNs

2001-08-09 14:10:03
At 14:20 09/08/01, Matt Holdrege wrote:
Wrong! Most IETF'ers I know tunnel back to their home offices. I personally 
use an IPsec/IKE implementation that doesn't care much for NAT.

If the remote ESP tunnel endpoint (and IKE KM endpoint) is on the 
external interface of a box that is also performing NAT on the inside
interface, there just isn't a problem.  Lots of the economical
gateway/firewall/encryptor widgets work this way.  This approach 
actually works quite well, particularly if one's employer has an
internal network using private address space.

This approach does mean that the mobile host has a different IP address 
for the RED ESP network interface than for its BLACK physical network 
interface.  Laptops at IETF with ESP tunnels back to one's employer 
date back at least to late 1995, when danmcd was doing it (complete 
with automated session key change every 24 hours), though he wasn't
using NAT (employer had lots of globally routable IP addresses).

Mind, the original designer of ESP/AH erroneously thought that 
ESP/AH would mainly be used to provide end-to-end security,
rather than gateway-to-gateway security (which is how it has 
played out).  

Cheers,

Ran
rja(_at_)inet(_dot_)org



<Prev in Thread] Current Thread [Next in Thread>