RE: Comcast and IPSec traffic

From: J. Oquendo (
Date: 09/16/03

  • Next message: Joris De Donder: "Re: xp professional - local administrator password"
    Date: Tue, 16 Sep 2003 17:07:18 -0400

    As per the CCIE Routing TCP/IP vol2 book page 346 Encryption paragraph:

    for NAT to function, neither the IP addresses nor any information
    derived from them (such as the TCP header checksum) can be encrypted.

    Amother concern is VPN's using for example, IPSec. With certain modes
    of IPSec, if an IP address is changed in an IPSec packet, the IPSec
    becomes meaningless and the VPN is broken. When ANY sort of encryption
    is used, you must place the NAT on the secure side rather than the
    encrypted path...

    One of the things you should think about is whether or not Comcast is
    setting you up under NAT when you didn't want to be running under NAT.
    Sounds confusing even as I type this, but say you've signed up for
    say like a static IP connection... And they're NAT'ed this saves Comcast
    nothing because they're not in charge of your own network, however you
    set it up. Maybe they're just filtering something without your consent
    who knows...

    Hi all,
        This goes back to a fairly old thread (8/13, not that old). Mark, you
    sent an email asking if anyone had noticed Comcast blocking IPSec traffic.
        Well, guess what Comcast has started advertising. Comcast is now
    offering "High-Speed Internet Pro" service. It offers and "even faster
    connection." And among other things, they list "VPN Compatible" on their
        I guess that answers your question about whether they are blocking IPSec


    exec `echo ajbqghuf|rot13|sed '/\n/!G;s/\(.\)\(.*\n\)/&\2\1/;//D;s/.//'`
    Jesus Oquendo
    sil @ disgraced . org
    sil @ antioffline . com
    PGP Fingerprint
    39A7 24C6 A9A0 6C67 96CA 0302 F1D3 2420 851E E3D0
    You're free. And freedom is beautiful. And, you know, 
    it'll take time to restore chaos and order, order out
    of chaos. But we will." George W. Bush Washington, 
    D.C., April 13, 2003
    Captus Networks 
    Are you prepared for the next Sobig & Blaster? 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans 
     - Precisely Define and Implement Network Security 
     - Automatically Control P2P, IM and Spam Traffic 
    FIND OUT NOW -  FREE Vulnerability Assessment Toolkit

  • Next message: Joris De Donder: "Re: xp professional - local administrator password"

    Relevant Pages

    • Re: L2TP/IPSec Verbindung läuft mit XP SP2 nicht mehr
      ... In XPSP2 the IPsec driver needs a registry setting when either the ... server or workstation are behind a NAT gateway. ... 1- Client initiates to a server that is behind the NAT ... > Peer Private Addr ...
    • RE: Secure / Encrypt Terminal Services
      ... Terminal Services does have decent encryption, ... IPSec is a great solution. ... As for the encryption, I do feel somewhat safe using the built-in ... I would certainly consider additional security. ...
    • Re: IPsec + NAT + mehrere Tunnelendpunkte
      ... Ist der VPN-Endpunkt ein Cisco Concentrator oder eine PIX? ... Und warum macht er dort ueberhaupt doppelt NAT? ... Session-Keys des IPSEC Tunnels verwendet. ...
    • Re: "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt
      ... In addition to the Apple, IBM, SUN, Microsoft, and HP-UX support for IPsec I ... This was a public company which needed to meet Sarbanes-Oxley regulations and auditing, most of which covered security. ... I couldn't say whether IPSEC or some other form of encryption was really needed or not but I'm reasonably certain that none of my jobs since being discharged from the Army in 1969 used any form of encryption for internal network traffic. ...
    • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
      ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...