Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
At 02:59 PM 3/31/98 -0500, Perry E. Metzger wrote:
>
>Because "trusted NAT", meaning "share your encryption keys with your
>routers" is like "military intelligence" or "congressional
>oversight", perhaps?
In some cases, there can be a trusted NAT. This is a system setup for this
task only, not a bunch of other firewallish and NAT stuff to limit risks.
In many of these cases, there might be an ESP gw-gw tunnel and within it a
NULL-ESP end-end transport within. But ESP transport cannot be NATed, as
the TCP checksum is in the ESP frame and the IP addresses are not. So it
would have to be NULL-ESP end-end tunnel.
BTW, this is valuable to protect your connection over the internet, but to
know who the actual end party is in an inter-enterprise environment (where
it is unwise to trust IP addresses as gw-gw tends to result with).
Note Well: Messages sent to this mailing list are the opinions
of the senders and do not imply endorsement by the IETF.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
