spacer TechWeb
spacer
Planet IT
Search
Planet IT
Other IT Web Sites
 

 Visit


 Browse Planet IT
  Desktop
  E-Business
  Enterprise Apps
    & Systems
  Management Issues
  Mobile & Wireless
  Networks
  Security

 Members Only
  Ask The Experts
  Roundtables

 Public Pages
  Opinions
  Newsletters
  News
  Q&A
  Product Reviews
  Technology Features
  Trends Features

 Help
  Planet IT Tour
  Contact Us
  Forgot Your Password?
  Forgot Your User Name?
  Join Planet IT
  Member Log-In

 Fine Print
  Partners
  Privacy Statement
  Who We Are



TechWeb Sites
  Byte.com
  CMPmetrics
  eBusiness Expo
  File Mine
  InformationWeek
  InternetWeek
  Network Computing
  PC Expo
  TechCalendar
  TechEncyclopedia
  TechLearning
  TechShopper
  TechWeb News
  TechWeb Today
  Wall Street &
    Technology
  Winmag.com


spacer
spacer
spacer
spacer
spacer spacer spacer spacer
spacer
Home : Security : Firewalls : Technology Feature
spacer
Why Can't IPsec and NAT Just Get Along?
PAGE 2 OF 7

NAPT (Network Address Port Translation) is the form of translation with which most people are familiar. NAPT is used almost exclusively by access devices designed to hide small-to-medium-sized networks behind a single public IP address. NAPT works by translating the source IP address and the source port number on the public interface (see "NAPT" graphic below).

NAPT is especially useful when cable or DSL access is deployed, because many service providers charge extra for multiple computers to be connected to the Internet (though how many addresses you get and for how much is locale-specific).

IPsec Modes

Next, a general background on IPsec: There are two modes of IPsec. Transport mode simply applies IPsec protocols to an IP packet and leaves the original IP headers visible. Transport mode can be used only in host-to-host IPsec VPN. Tunnel mode IPsec encapsulates the original IP packets into an IPsec packet with new IP headers. Tunnel mode effectively hides the original IP packets from view. Tunnel mode IPsec must be used in host-to-gateway IPsec, the common remote-access scenario.

There are two IPsec protocols with which we're concerned: AH (Authentication Header) and ESP (Encapsulation Security Payload). AH, rarely deployed, verifies that fields that are required to prove the identity of the sending device, such as source and destination IP addresses, have not been altered in route. If the packet fails the verification, it is dropped. Thus, AH provides data integrity and origin authentication. We'll see later that AH is broken by all forms of NAT. ESP, on the other hand, encrypts IP data. When used in tunnel mode, it provides data integrity and origin authentication services as well.


Page:1 | 2 | 3 | 4 | 5 | 6 | 7
  Next Page: next page
Write an online comment and share your thoughts on this technology feature with other Planet IT members!

print print this article
email e-mail this article
discuss discuss this article
Related Links
Security Strategy Must Focus On Business Issue Of Managing Risk

Risk-Assessment Strategies

Emerging Technology: Create Order with a Strong Security Policy

VPN IPsec: Progress Slow But Steady

Shunning: Good or Bad?



TechEncyclopedia

 Define an IT Term
spacer spacer
Desktop  
Desktop Systems, Linux,Windows 2000

E-Business
E-Commerce, New Economy, Web D&D

Enterprise Apps & Systems
Data Management, Enterprise Apps, Storage

Management Issues
Careers & Training, Executive Strategies,
Outsourcing/Services
Mobile & Wireless
Notebooks, PDAs & Handhelds, Wireless Nets and Devices

Networks
Advanced IP Services, Network & Systems Management, Network Systems

Security
Defensive Tools, Firewalls, Hostile Content
spacer


CMPnet spacer