Tcpcrypt supports authentication, it's just not mandatory. This is not the same thing as no authentication. As I wrote in my first comment, I believe mandatory authentication is one of the biggest mistaken design decisions of all time.
But even when using an authenticated connection, tcpcrypt works with NAT. It accomplishes this feat by not encrypting or authenticating the port numbers. This design allows for some attacks (such as traffic analysis on port numbers), but the tradeoff seems to be worth it. The USENIX paper discusses this issue in some detail.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds