[c-nsp] *** GMX Spamverdacht *** RE: IPSEC over NAT - what am I missing?

Nick Hilliard nick at foobar.org
Sun Jan 27 17:41:54 EST 2013


On 27/01/2013 00:46, David Barak wrote:
> And again, I'll mention that there are those of us who specifically
> *rely* on AH breaking NAT, so that we can demonstrate that NAT has not
> occurred across specific non-Internet IP infrastructures.  It's a corner
> case, but a valid corner case, especially in the world of security.  AH
> is useful enough for a small number of people to be preserved.

Interesting case - I like it.  But I still don't think that an edge case
like this justifies AH being a mandatory part of IPSEC, or that using AH
should be anything but discouraged in the general case.

Nick



More information about the cisco-nsp mailing list