[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP checksum recalculation

To: Robert Moskowitz <rgm-sec@htt-consult.com>, ipsec@lists.tislabs.com
Subject: Re: TCP checksum recalculation
From: Kai Martius <kai@secunet.de>
Date: Wed, 21 Jul 1999 10:57:17 +0200
In-Reply-To: <4.1.19990720115931.00b6f8e0@homebase.htt-consult.com>
Sender: owner-ipsec@lists.tislabs.com

Hello,

At 12:28 20.07.99 -0400, Robert Moskowitz wrote:
>Oh with MIKE, consider that at each IKE SA boundary, the addresses are
>altered at each point (shades of RSIP), so then TCP checksum would really
>be broken and partial recalculation would be different (not just TTL, but
>whole IP).

MIKE is a kind of "application-level gateway", and from the transport view the messages are exchanged in unsecured UDP packets between MIKE instances in the same IP realm (if these instances are at the border of a realm; otherwise - NAT between two MIKE daemons - raises the same (minor) issues like IKE over NAT).

Hmm, I didn't really watch the RSIP developments, but there could be other advantages for RSIP servers to know about the relation of 
{dst, SPI, ESP} <-> {src, dst, s-port, d-port}....
In draft-ietf-nat-rsip-ipsec-00.txt, RSIP servers utilize SPIs to demultiplex incoming traffic, but they need to *negotiate* a SPI with the client, which it finally uses end-2-end. This MIKE doesn't provide (yet?).

Kai

References:

TCP checksum recalculation

From: Robert Moskowitz <rgm-sec@htt-consult.com>

Prev by Date: Re: More on a second IPSec algorithm
Next by Date: RE: KISS for PKIX. (Was: RE:Asymmetric authentication (was ASN.1 vs XML which in turn was something else)
Prev by thread: Re: TCP checksum recalculation
Next by thread: RE: KISS for PKIX. (Was: RE:Asymmetric authentication (was ASN.1 vs XML which in turn was something else)
Index(es):
- Main
- Thread