Re: ISPs can easily decrease net abuse
From: Walter Roberson (roberson_at_ibd.nrc-cnrc.gc.ca)
Date: 12/02/03
- Previous message: booster: "Re: ISPs can easily decrease net abuse"
- In reply to: booster: "Re: ISPs can easily decrease net abuse"
- Next in thread: Laurent: "Re: ISPs can easily decrease net abuse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 2 Dec 2003 03:59:39 GMT
In article <0TTyb.118354$Fv8.114900@twister01.bloor.is.net.cable.rogers.com>,
booster <saltynuts2002@msn.com> wrote:
:ipv6 isn't only about shortage.. it has better security and a host of
:features too. For example you can't do ipsec over NAT. NAT is a hack and we
:all know hacks will burn you sooner or later
You *can* do IPSec over NAT.
IPSec defines multiple layers: the payload itself (possibly
encrypted), encryption headers (ESP), and authentication headers (AH).
AH is optional, and if you don't have it turned on, then you can
still use the authentication layer that ESP provides for the payload;
AH adds authentication of the IP addresses themselves.
It was not possible before to do AH over NAT, but there is now a
draft IETF "UDP Encpasulation of IPSec Packets",
http://www.ietf.org/html.charters/ipsec-charter.html
This UDP encapsulation routine -automatically- detects whether
one or both ends of the link are undergoing NAT, and does encapsulation
via UDP 4500 only if necessary.
-- "There are three kinds of lies: lies, damn lies, and statistics." -- not Twain, perhaps Disraeli, first quoted by Leonard Courtney
- Previous message: booster: "Re: ISPs can easily decrease net abuse"
- In reply to: booster: "Re: ISPs can easily decrease net abuse"
- Next in thread: Laurent: "Re: ISPs can easily decrease net abuse"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
