Fw: Re: Block all servers?

Chris Brenton cbrenton at chrisbrenton.org
Wed Oct 15 11:40:48 UTC 2003


On Tue, 2003-10-14 at 21:12, Fred Heutte wrote:
>
>   IPSec prevents packet modification to thwart man-in-the-middle
>   attacks. However, this strong security feature also generates
>   operational problems. NAT frequently breaks IPSec because it
>   modifies packets by substituting public IP addresses for
>   private ones. Many IPSec products implement NAT traversal
>   extensions, but support for this feature isn't universal, and
>   interoperability is still an issue.

IMHO this is a bit misleading as it implies you need some kind of
special gateway with "NAT traversal extensions" to get IPSec to work.
This is not exactly true as only AH checks the IP header. If you stick
with just ESP you can re-write IPs without failing authentication.

True this only works for one to one NAT. Many to one NAT will still
break IPSec, even if ESP is used alone. This is a functionality issue
however (IPSec using a fixed source port of 500), rather than a
"preventing packet modification to thwart man-in-the-middle attacks"
thing.

> And Phifer notes later that one of the critical issues with SSL 
> VPNs is whether you want to "Webify" everything.  For all
> of us (I hope), the net is much more than just port 80.

Not so sure you really have to. This is true if you are running things
like pop3s, imaps, etc. but you can also go with something like stunnel
which is pretty close to IPSec. The biggest drawback is no native
support for UDP which makes using internal DNS a bit of a bear.

Cheers,
C






More information about the NANOG mailing list