[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thomas Narten's DISCUSS vote



But you are trying to NAT the inner IP header.  The outer IP header's src IP
address is the Security Gateway's IP address.  That is an externally valid IP
address (otherwise it won't fly in the Internet).  The address you need to NAT
is the src IP address in the inner IP header that belongs to some host inside
the enterprise that has the illegal/net-10 address.

Vach Kompella
IBM Corp.



owner-ipsec@ex.tis.com on 05/24/98 07:17:43 AM
Please respond to gab@Eng.Sun.Com
To: ipsec@tis.com
cc:
Subject: Re: Thomas Narten's DISCUSS vote



"Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote:

>Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
>
>  I think Tom's comment is valid. Even when used with NULL encryption,
>  ESP's integrity check will include the TCP/UDP header and,

Only assuming transport mode ESP. Tunnel mode ESP should work
fine.

Perhaps this should be mentioned explicitly in the ESP_NULL draft:


>> >>    The IPsec Authentication Header [AH] specification provides a similar
>> >>    service, by computing authentication data which covers the data
>> >>    portion of a packet as well as the immutable in transit portions of
>> >>    the IP header.  ESP_NULL does not include the IP header in
>> >>    calculating the authentication data.  This can be useful in providing
>> >>    IPsec services through Network Address Translation (NAT) devices and
>> >>    non-IP network devices.
         ^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode.

>> >>   The discussion on how ESP_NULL might be
>> >>    used with NAT and non-IP network devices is outside the scope of this
>> >>    document.
>> >


-gabriel






Follow-Ups: