Re: Questions (Rants?) About IPSEC

From: James F. Hranicky (jfh@cise.ufl.edu)
Date: 02/07/02


To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Date: Thu, 07 Feb 2002 17:18:23 -0500
From: "James F. Hranicky" <jfh@cise.ufl.edu>

Garrett Wollman <wollman@khavrinen.lcs.mit.edu> wrote:
>
> > - IPSEC routers have to basically be the border router for
> > a site, as there is no post-decryption NAT protocol to
> > get packets back to a router on the inside of the network
> > (Apparently, Cisco VPN boxes have this capability, but
> > it's an add-on to IPSEC AFAICT).
>
> IPSEC is designed to thwart processes which corrupt packet headers
> (including NAT).

In my scenario, NAT would occur after decryption, allowing IPSEC routers
to be placed at arbitrary points in the internal net. As I understand it,
CISCO's VPN box does just that.

Thanks for your input.

Jim

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message