[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Thomas Narten's DISCUSS vote

To: kompella@us.ibm.com (Vach Kompella)
Subject: Re: Thomas Narten's DISCUSS vote
From: Pyda Srisuresh <suresh@livingston.com>
Date: Thu, 28 May 1998 17:16:12 -0700 (PDT)
Cc: ipsec@tis.com, gab@Eng.Sun.Com
In-Reply-To: <5040200015408410000002L002*@MHS> from "Vach Kompella" at May 26, 98 09:22:23 am
Sender: owner-ipsec@ex.tis.com


Gabriel is right about NULL-ESP not impacting NAT packets in tunnel 
mode ESP. This is because, the original packet (say, with net 10 src
address) would have been subject to NAT translation already prior to 
being tunneled. If it wasnt NAT translated, then it is not a NAT packet.

Secondly, as Vipul and Thomas Narten pointed out earlier, NULL_ESP in 
transport mode wont provide IPsec service for TCP/UDP NAT packets. But, 
NULL_ESP in transport mode does provide IPsec service for non-TCP/UDP 
pkts(ex: ICMP). I.e., protocols that do not indirectly embed IP address 
integrity within their header/payload can be NAT translated with 
NULL-ESP.

cheers,
suresh

> 
> But you are trying to NAT the inner IP header.  The outer IP header's src IP
> address is the Security Gateway's IP address.  That is an externally valid IP
> address (otherwise it won't fly in the Internet).  The address you need to NAT
> is the src IP address in the inner IP header that belongs to some host inside
> the enterprise that has the illegal/net-10 address.
> 
> Vach Kompella
> IBM Corp.
> 
> 
> 
> owner-ipsec@ex.tis.com on 05/24/98 07:17:43 AM
> Please respond to gab@Eng.Sun.Com
> To: ipsec@tis.com
> cc:
> Subject: Re: Thomas Narten's DISCUSS vote
> 
> 
> 
> "Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote:
> 
> >Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
> >
> >  I think Tom's comment is valid. Even when used with NULL encryption,
> >  ESP's integrity check will include the TCP/UDP header and,
> 
> Only assuming transport mode ESP. Tunnel mode ESP should work
> fine.
> 
> Perhaps this should be mentioned explicitly in the ESP_NULL draft:
> 
> 
> >> >>    The IPsec Authentication Header [AH] specification provides a similar
> >> >>    service, by computing authentication data which covers the data
> >> >>    portion of a packet as well as the immutable in transit portions of
> >> >>    the IP header.  ESP_NULL does not include the IP header in
> >> >>    calculating the authentication data.  This can be useful in providing
> >> >>    IPsec services through Network Address Translation (NAT) devices and
> >> >>    non-IP network devices.
>          ^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode.
> 
> >> >>   The discussion on how ESP_NULL might be
> >> >>    used with NAT and non-IP network devices is outside the scope of this
> >> >>    document.
> >> >
> 
> 
> -gabriel
> 
> 
> 
> 
>

References:

Re: Thomas Narten's DISCUSS vote

From: Vach Kompella <kompella@us.ibm.com>

Prev by Date: Re: IPCOMP and IPSEC
Next by Date: RE: IPCOMP and IPSEC
Prev by thread: Re: Thomas Narten's DISCUSS vote
Next by thread: Re: Thomas Narten's DISCUSS vote
Index(es):
- Main
- Thread