[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thomas Narten's DISCUSS vote

To: tytso@MIT.EDU
Subject: Re: Thomas Narten's DISCUSS vote
From: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
Cc: ipsec@tis.com
Reply-To: Vipul Gupta <vgupta@nobel.Eng.Sun.COM>
Sender: owner-ipsec@ex.tis.com


  I think Tom's comment is valid. Even when used with NULL encryption, 
  ESP's integrity check will include the TCP/UDP header and,
  in particular, the TCP/UDP checksum field. Since this
  checksum is computed over a pseudoheader which includes
  the IP src and destination, a NAT box would need to
  update the checksum whenever it updates the IP src/dst
  fields.
  
    Unless the NAT box has knowledge of the SA parameters
  protecting the traffic, one of two things will happen:
   - IP src/dst is updated but not the checksum =>
     transport checksum failure at the receiver
   - NAT box changes IP src/dst and updates checksum =>
     ESP integrity failure at the receiver
     
  vipul
  

> >
> >>     The NULL Encryption Algorithm and Its Use With IPsec [PROPOSED]
> >>        <draft-ietf-ipsec-ciph-null-00.txt>
> >
> >
> >>    The IPsec Authentication Header [AH] specification provides a similar
> >>    service, by computing authentication data which covers the data
> >>    portion of a packet as well as the immutable in transit portions of
> >>    the IP header.  ESP_NULL does not include the IP header in
> >>    calculating the authentication data.  This can be useful in providing
> >>    IPsec services through Network Address Translation (NAT) devices and
> >>    non-IP network devices.   The discussion on how ESP_NULL might be
> >>    used with NAT and non-IP network devices is outside the scope of this
> >>    document.
> >

 [Tom Narten wrote:]
 
> >Comment about NAT seems very questionable, since all useful protocols
> >that run on IP (i.e. TCP/UDP) have a pseudo-header that depends on the
> >addresses.  I suspect the authors were thinking that with the payload
> >in the clear, NAT could update the checksum. However, the AH check
> >will not allow that. Suggest removing text.

 [to which Ted Tso responded ...]
  
> The text is valid; ESP includes integrity protection, although ESP
> doesn't cover the IP header.  In the new IPSEC scheme, it is extremely
> unlikely that someone will use both ESP and AH.  ESP-NULL provides no
> data confidentiality, but it does provide integrity over the packet data
> (but not of the IP headers), thus allowing NAT boxes to muck with the IP
> headers.  
> 
> Whether or not this is a horrible abstraction violation is besides the
> point; if the goal is to allow NAT boxes to work, while still providing
> data integrity services for the packet contents, ESP NULL is one way of
> accomplishing that goal.

Prev by Date: Life and death of IKE SAs and IPSEC SAs
Next by Date: Re: Thomas Narten's DISCUSS vote
Prev by thread: Re: Thomas Narten's DISCUSS vote
Next by thread: Re: Thomas Narten's DISCUSS vote
Index(es):
- Main
- Thread