On Tue, 2003-10-14 at 21:12, Fred Heutte wrote:
IPSec prevents packet modification to thwart man-in-the-middle
attacks. However, this strong security feature also generates
operational problems. NAT frequently breaks IPSec because it
modifies packets by substituting public IP
Chris Brenton wrote:
[snip]
True this only works for one to one NAT. Many to one NAT will still
break IPSec, even if ESP is used alone. This is a functionality issue
however (IPSec using a fixed source port of 500), rather than a
preventing packet modification to thwart man-in-the-middle
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor
wants to IPSEC to the same place (say you work at the same place).
If both of you are NAT'd from the same IP address
Stefan Mink wrote:
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor
wants to IPSEC to the same place (say you work at the same place).
If both of you are NAT'd
At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor
wants to IPSEC to the same place (say you work at the same place).
If both of
In message [EMAIL PROTECTED], Crist Clark writes:
Kee Hinckley wrote:
At 6:30 PM +0200 10/14/03, Stefan Mink wrote:
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:
I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your
The new issue of Network Magazine has a cover story that may
be worth a look: SSL VPNs: Remote Access for the Masses,
by Andrew Conry-Murray, which makes a pretty convincing
case for the use of SSL VPNs instead of IPSec. A lot of this
is still-emerging stuff and the author, to his credit,
Terry Baranski wrote:
That being said, NAT does break stuff and as has been mentioned,
filtering is certainly possible without having to bring NAT into the
mix. Microsoft assures us that the Windows firewall will be enabled by
default starting with WinXP patches early next year. How easy will
On Fri, Oct 10, 2003 at 08:07:05PM -0600, Adam Selene wrote:
IMHO, all consumer network access should be behind NAT.
-snip-
As for plug-in workgroup networking (the main reason why
everything is open by default), when you create a Workgroup,
it should require a key for that workgroup and
Adam Selene wrote:
IMHO, all consumer network access should be behind NAT.
First of all, this would block way too many uses that currently actually
sell
the consumer network connections. I recommend my competition to do this
Secondly, it´s very hard, if impossible to come up with a NAT
To: [EMAIL PROTECTED]
Subject: Re: Block all servers?
Adam Selene wrote:
IMHO, all consumer network access should be behind NAT.
First of all, this would block way too many uses that
currently actually
sell
the consumer network connections. I recommend my competition
to do
Didn't susan ask for this topic to move off-list? Anybody (no...not
Merit) care to step up and create a nanog-issues list where such
discussions can continue unmolested when the nanog topic police declare an
important topic off-topic?
I can understand how some operators might not want to
Unfortuantely there are enough protocols and applications
which don't work well behind a NAT that deploying this on
a large scale is not practical.
It already is deployed upon a large scale. When I had @Home
in Seattle (one of the first subscribers), I had a 10.x address.
Here in Costa Rica,
Penalizing users that need (and will pay) for reasonably
accessible two way communication is not the answer,
and never will be.
By all means, make a non-NAT IP address a optional premium
service, and hope those that request it are sophisticated enought
to secure their machine.
Adam
On Sat, 11 Oct 2003, Adam Selene wrote:
Also what about folks who need to VPN in to their office
(either via PPTP or IPSEC)? How would you take care of that
situation?
I use IPSEC and it works fine behind NAT.
Yes, it does work, on a small scale. However what if your neighbor
wants to
Also what about folks who need to VPN in to their office
(either via PPTP or IPSEC)? How would you take care of that
situation?
IPSEC works over NATs just fine.
Alex
Adam Selene wrote:
By all means, make a non-NAT IP address a optional premium
service, and hope those that request it are sophisticated enought
to secure their machine.
NAT is more expensive to produce, so it should be an optional premium
service,
and that seems to be more and more the case.
NAT is more expensive to produce, so it should be an optional
premium service, and that seems to be more and more the case.
Not necessarily when you consider the cost (in bandwidth,
network reliability and support staff) imposed by worms and kiddies
from other networks scanning your IP space
In message [EMAIL PROTECTED], Alex Yurie
v writes:
Also what about folks who need to VPN in to their office
(either via PPTP or IPSEC)? How would you take care of that
situation?
IPSEC works over NATs just fine.
Not in the general case, no. See draft-aboba-nat-ipsec-04.txt if you
can
On Sat, 11 Oct 2003, Steven M. Bellovin wrote:
In message [EMAIL PROTECTED], Alex Yurie
v writes:
Also what about folks who need to VPN in to their office
(either via PPTP or IPSEC)? How would you take care of that
situation?
IPSEC works over NATs just fine.
Not in the general
This internet draft is available at:
http://quimby.gnus.org/internet-drafts/draft-aboba-nat-ipsec-04.txt
Ken Emery wrote:
I can't figure out if anything happened with
this draft (I'm guessing nothing went on). The
draft expired on December 1, 2001.
IPSec NAT Traversal is still being
I agree that Michael is right on. The social, psychological and
financial issues are in many ways more tricky than the technical issus.
However, I think there are ways to help.
But first some history
When I signed up for Cable broadband access several years ago, I was
told, And of course
The TOS/AUP for most residential broadband connections already allows the ISP to shut
off service or do anything they want to the customer without prior notice. It has
been this way for at least 3 or 4 years, since the advent of @Home. Take a look at
the TOS/AUP for Comcast, Shaw Cable, MSN
accessing the internet (and
the WWW) in manners which are to the detriment of everyone else.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Eric Kuhnke
Sent: Friday, October 10, 2003 7:06 PM
To: [EMAIL PROTECTED]
Subject: RE: Block all
IMHO, all consumer network access should be behind NAT.
However, the real solutions is (and unfortunately to the detriment
of many 3rd party software companies) for operating system
companies such as Microsoft to realize a system level firewall
is no longer something to be added on or configured
On Fri, 10 Oct 2003, Adam Selene wrote:
IMHO, all consumer network access should be behind NAT.
Unfortuantely there are enough protocols and applications
which don't work well behind a NAT that deploying this on
a large scale is not practical. Most gamers require incoming
connections. These
26 matches
Mail list logo
