[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ingress filteing problem

To: "Kanchei Loa" <loa@ieee.org>, "Spencer Dawkins" <spencer@mcsr-labs.org>
Subject: RE: ingress filteing problem
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Sat, 13 Mar 2004 23:15:36 -0800
Cc: <multi6@ops.ietf.org>

> > I'm probably late to the party, but don't (1) and (2) break
> > transport-mode IPsec?
> >
> 
> (1) depicts schemes to forward IP packet to the "correct" ISP such
that
> the
> source address is matching ISP's ingress filter. There is no IP
src/dst
> rewriting during the process. So, transport-mode IPsec won't be
affected.
> 
> (2) use NAT to rewrite the locators (IP src/dst) in order to pass
through
> ISP's ingress filter and provides consistent src/dst address pair for
> non-multi6 host at another end of the communication. It is no better
(or
> worse) than existing NAT deployments regarding IPsec compatibility
issues.

Of course, this can only work if you use NAT fully, i.e. keep state per
connection, rewrite the checksums, provide ALG for the protocols that
carry addresses in the payload, accept that the ALG will break if one
uses IPSEC in transport mode, etc. There must be another way...

-- Christian Huitema

Follow-Ups:
- Re: ingress filteing problem
  - From: Brian E Carpenter <brc@zurich.ibm.com>

Prev by Date: RE: ingress filteing problem
Next by Date: Re: ingress filteing problem
Previous by thread: To multi6 chairs: Date for interim meeting?
Next by thread: Re: ingress filteing problem
Index(es):
- Date
- Thread