[c-nsp] *** GMX Spamverdacht *** RE: IPSEC over NAT - what am I missing?

Randy randy_94108 at yahoo.com
Sun Jan 27 19:10:46 EST 2013


--- On Sun, 1/27/13, Nick Hilliard <nick at foobar.org> wrote:

> From: Nick Hilliard <nick at foobar.org>
> Subject: Re: [c-nsp] *** GMX Spamverdacht *** RE: IPSEC over NAT - what am I missing?
> To: "David Barak" <thegameiam at yahoo.com>
> Cc: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Sunday, January 27, 2013, 2:41 PM
> On 27/01/2013 00:46, David Barak
> wrote:
> > And again, I'll mention that there are those of us who
> specifically
> > *rely* on AH breaking NAT, so that we can demonstrate
> that NAT has not
> > occurred across specific non-Internet IP
> infrastructures.  It's a corner
> > case, but a valid corner case, especially in the world
> of security.  AH
> > is useful enough for a small number of people to be
> preserved.
> 
> Interesting case - I like it.  But I still don't think
> that an edge case
> like this justifies AH being a mandatory part of IPSEC, or
> that using AH
> should be anything but discouraged in the general case.
> 
> Nick
> 

+ 1 to "....discouraged in the general case".

Corner Cases for people with specialized knowledge notwithstanding:

a)AH+NAT-T(Incompatible period!)
b)AH+GRE+NAT-T(can work)
c)AH+ESP+NAT-T(still incompatible!)
d)AH+ESP+GRE+NAT-T(can work)

(b) and (d) work only because encryption happpens before encap on the interface to which crypto-map; per-se, is applied.

Working corner-cases create confusion and add to un-necessary bloat imo.
Feedback appreciated.
./Randy





More information about the cisco-nsp mailing list