Chris Brenton wrote:
[snip]
> True this only works for one to one NAT. Many to one NAT will still
> break IPSec, even if ESP is used alone. This is a functionality issue
> however (IPSec using a fixed source port of 500), rather than a
> "preventing packet modification to thwart man-in-the-middle
On Tue, 2003-10-14 at 21:12, Fred Heutte wrote:
>
> IPSec prevents packet modification to thwart man-in-the-middle
> attacks. However, this strong security feature also generates
> operational problems. NAT frequently breaks IPSec because it
> modifies packets by substituting public IP add
The new issue of Network Magazine has a cover story that may
be worth a look: "SSL VPNs: Remote Access for the Masses,"
by Andrew Conry-Murray, which makes a pretty convincing
case for the use of SSL VPNs instead of IPSec. A lot of this
is still-emerging stuff and the author, to his credit, doesn
On Tue, Oct 14, 2003 at 10:07:45AM -0700, Crist Clark wrote:
> > > Yes, it does work, on a small scale. However what if your neighbor
> > > wants to IPSEC to the same place (say you work at the same place).
> > > If both of you are NAT'd from the same IP address trying to IPSEC
> > > to the same I
In message <[EMAIL PROTECTED]>, Crist Clark writes:
>
>Kee Hinckley wrote:
>>
>> At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
>> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
>> >> > I use IPSEC and it works fine behind NAT.
>> >>
>> >> Yes, it does work, on a small scale. Howev
Kee Hinckley wrote:
>
> At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
> >On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> >> > I use IPSEC and it works fine behind NAT.
> >>
> >> Yes, it does work, on a small scale. However what if your neighbor
> >> wants to IPSEC to the same pla
At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor
wants to IPSEC to the same place (say you work at the same place).
If both of
Stefan Mink wrote:
>
> On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> > > I use IPSEC and it works fine behind NAT.
> >
> > Yes, it does work, on a small scale. However what if your neighbor
> > wants to IPSEC to the same place (say you work at the same place).
> > If both of you a
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
> > I use IPSEC and it works fine behind NAT.
>
> Yes, it does work, on a small scale. However what if your neighbor
> wants to IPSEC to the same place (say you work at the same place).
> If both of you are NAT'd from the same IP address
Terry Baranski wrote:
That being said, NAT does break stuff and as has been mentioned,
filtering is certainly possible without having to bring NAT into the
mix. Microsoft assures us that the Windows firewall will be enabled by
default starting with WinXP patches early next year. How easy will it
>> This internet draft is available at:
>> http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt
>>
> Ken Emery wrote:
>
> I can't figure out if anything happened with
> this draft (I'm guessing nothing went on). The
> draft expired on December 1, 2001.
IPSec NAT Traversal is sti
On Sat, 11 Oct 2003, Steven M. Bellovin wrote:
> In message <[EMAIL PROTECTED]>, Alex Yurie
> v writes:
> >
> >> Also what about folks who need to VPN in to their office
> >> (either via PPTP or IPSEC)? How would you take care of that
> >> situation?
> >
> >IPSEC works over NATs just fine.
> >
>
In message <[EMAIL PROTECTED]>, Alex Yurie
v writes:
>
>> Also what about folks who need to VPN in to their office
>> (either via PPTP or IPSEC)? How would you take care of that
>> situation?
>
>IPSEC works over NATs just fine.
>
Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if y
Adam Selene wrote:
NAT is more expensive to produce, so it should be an optional
premium service, and that seems to be more and more the case.
Not necessarily when you consider the cost (in bandwidth,
network reliability and support staff) imposed by worms and kiddies
from other networks sca
> NAT is more expensive to produce, so it should be an optional
> premium service, and that seems to be more and more the case.
Not necessarily when you consider the cost (in bandwidth,
network reliability and support staff) imposed by worms and kiddies
from other networks scanning your IP spac
Adam Selene wrote:
By all means, make a non-NAT IP address a optional premium
service, and hope those that request it are sophisticated enought
to secure their machine.
NAT is more expensive to produce, so it should be an optional premium
service,
and that seems to be more and more the case.
P
> Also what about folks who need to VPN in to their office
> (either via PPTP or IPSEC)? How would you take care of that
> situation?
IPSEC works over NATs just fine.
Alex
On Sat, 11 Oct 2003, Adam Selene wrote:
> > Also what about folks who need to VPN in to their office
> > (either via PPTP or IPSEC)? How would you take care of that
> > situation?
>
> I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor
w
> Penalizing users that need (and will pay) for reasonably
> accessible two way communication is not the answer,
> and never will be.
By all means, make a non-NAT IP address a optional premium
service, and hope those that request it are sophisticated enought
to secure their machine.
Adam
> Unfortuantely there are enough protocols and applications
> which don't work well behind a NAT that deploying this on
> a large scale is not practical.
It already is deployed upon a large scale. When I had @Home
in Seattle (one of the first subscribers), I had a 10.x address.
Here in Costa Ric
Didn't susan ask for this topic to move off-list? Anybody (no...not
Merit) care to step up and create a nanog-issues list where such
discussions can continue unmolested when the nanog topic police declare an
important topic off-topic?
I can understand how some operators might not want to han
:[EMAIL PROTECTED] On
> Behalf Of Petri Helenius
> Sent: Saturday, October 11, 2003 1:47 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Block all servers?
>
>
>
> Adam Selene wrote:
>
> >IMHO, all consumer network access should be behind NAT.
> >
> >
Adam Selene wrote:
IMHO, all consumer network access should be behind NAT.
First of all, this would block way too many uses that currently actually
sell
the consumer network connections. "I recommend my competition to do this"
Secondly, it´s very hard, if impossible to come up with a NAT dev
On Fri, Oct 10, 2003 at 08:07:05PM -0600, Adam Selene wrote:
> IMHO, all consumer network access should be behind NAT.
-snip-
> As for plug-in "workgroup" networking (the main reason why
> everything is open by default), when you create a Workgroup,
> it should require a key for that workgroup an
On Fri, 10 Oct 2003, Adam Selene wrote:
> IMHO, all consumer network access should be behind NAT.
Unfortuantely there are enough protocols and applications
which don't work well behind a NAT that deploying this on
a large scale is not practical. Most gamers require incoming
connections. These
IMHO, all consumer network access should be behind NAT.
However, the real solutions is (and unfortunately to the detriment
of many 3rd party software companies) for operating system
companies such as Microsoft to realize a system level firewall
is no longer something to be "added on" or configure
ed Windows boxes accessing the internet (and
the WWW) in manners which are to the detriment of everyone else.
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Eric Kuhnke
> Sent: Friday, October 10, 2003 7:06 PM
> To: [EMAIL PROTEC
The TOS/AUP for most residential broadband connections already allows the ISP to shut
off service or do anything they want to the customer without prior notice. It has
been this way for at least 3 or 4 years, since the advent of @Home. Take a look at
the TOS/AUP for Comcast, Shaw Cable, MSN D
I agree that Michael is "right on". The social, psychological and
financial issues are in many ways more tricky than the technical issus.
However, I think there are ways to help.
But first some history
When I signed up for Cable broadband access several years ago, I was
told, "And of course
29 matches
Mail list logo
