At the risk of stating the obvious, an observation about NAT and security... The problem is that IP addresses have overloaded semantics. Security needs an identifier. NAT and routing need locators. At present IP addresses serve both functions. We need to move to a world where locating a node is decoupled from identifying a node. In such a world, NAT could happen without causing IPsec to get broken by the NAT function. The overloaded semantics are broken. Noel has probably been the most outspoken in making this observation, but others have also noted the issue. Ran rja@Home.net
rja@corp.home.net (Ran Atkinson) writes:
At the risk of stating the obvious, an observation about NAT and security...
The problem is that IP addresses have overloaded semantics. Security needs an identifier. NAT and routing need locators. At present IP addresses serve both functions. We need to move to a world where locating a node is decoupled from identifying a node. In such a world, NAT could happen without causing IPsec to get broken by the NAT function.
The overloaded semantics are broken. Noel has probably been the most outspoken in making this observation, but others have also noted the issue.
The notion of separating identifiers from locators most certainly would make *SOME* things easier to do. But doing so also creates *NEW* and *DIFFERENT* problems in other places in the TCP/IP architecture. It is not at all obvious to me that those other problems are any easier to deal with in practice. They certainly aren't trivial to deal with, in any case. Consider Mike O'Dell's 8+8 proposal made to the IPv6 group a year ago or so. That proposal was a partial step in doing such a separation. There were some practical reasons why 8+8 was not adopted. See draft-ietf-ipngwg-esd-analysis-01.txt for more details, especially Section 4. Thomas
participants (2)
-
rja@corp.home.net -
Thomas Narten