Re: VPN e XP

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]

Archivio: Novembre 2002 ml@sikurezza.org
Soggetto: Re: VPN e XP
Mittente: Enrico Sorge
Data: 25 Nov 2002 21:09:52 -0000

At 18.26 22/11/2002 +0100, you wrote:
>Per ovviare ai problemi relativi alle incompatibilita' con la NAT di
>protocolli utilizzati per effettuare VPN widely used come IPSec ( ESP = proto
>50, AH = proto 51 ) e PPTP ( 1724/TCP + GRE = proto 47 )  sono state proposte
>alcune soluzioni.
>
>Nello specifico per IPSec ci sono delle proposte di incapsulare IPSec
>all'interno di pacchetti udp, consentendo cosi' al dispositivo che sul
>frontend effettua la NAT di gestire tale connessione inserendola nella sua
>connection table .
>
>I riferimenti si trovano qui:
>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-01.txt
>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-justification-00.txt
>http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-01.txt

Ciao FaBBio,

relativamente ai problemi Nat Vs IPSEC, tempo fa lessi su Cisco IPJ un
articolo intitolato "The trouble with NAT"

[...]
If you cannot avoid translating IPSec-protected traffic midstream, limit
use of IPSec to tunnel-mode ESP and design security policies with care. If
you simply cannot NAT before IPSec or require transport-mode ESP,
there may still be hope. The Internet Engineering Task Force (IETF) is
now defining Realm-Specific IP (RSIP), an alternative that may someday
prove kinder to IPSec.

What Is RSIP?
RSIP leases public IP addresses and ports to RSIP hosts located in private
addressing realms. Unlike NAT, RSIP does not operate in stealth
mode and does not translate addresses on the fly. Instead, RSIP allows
hosts to directly participate concurrently in several addressing realms.
Although RSIP does require host awareness, it avoids violating the endto-
end nature of the Internet. With RSIP, IP payload flows from source
to destination without modifications that cripple IPSec AH and many
other NAT-sensitive protocols.
[...]

Per maggiori info:
http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
http://www.isp-planet.com/technology/rsip.html
http://www.isp-planet.com/technology/rsip-b.html
http://www.ietf.org/internet-drafts/draft-ietf-nat-rsip-framework-04.txt
http://www.ietf.org/internet-drafts/draft-ietf-nat-rsip-ipsec-03.txt

Potrebbe essere una valida alternativa?

Ciao
Enrico

------------------------------------------------------------------------
Enrico Sorge - ITsys s.r.l.
e.sorge@itsys.it - enrico.sorge@securenetwork.it

PGP/GPG Key 1024D/4EC0609B
http://www.securenetwork.it/esorge/docs/esorge.asc
Key Fingerprint - 3D9A C13E BC29 9B26 DC6C 230B 7721 8E0C 4EC0 609B

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List

Data:
- precedente: Re: Home Banking e Internet Banking help per tesi di laurea, fd
- successivo: FW: Announcing the release of 2 NIST Computer Security Special Publications, marco misitano
- indice

Argomento:
- precedente: RE: VPN e XP, m@xx
- successivo: Re: VPN e XP, Enrico Sorge
- indice

[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005