Re: NAT and IPsec

["Jari Arkko" <jari.arkko@kolumbus.fi>]

Markus Stenberg writes:

> I think that you need something beyond UDP header to be able to support all
> modes (for example, original header length so that extra options which may
> or may not get snipped off can be stored elsewhere).

Can we develop something more specific here. What <something> and what
<mode/feature>? For instance, I suppose header length and options are only
relevant if one uses AH? Is there something that transport mode requires?
What about the NAT operations performed by the hosts, do they require any
extra information beyond the UDP header?

Add to that an analysis of the presented approaches according to the
criterias (supported cases, overhead, complexity, and ease of deployment).
Then we'll be a lot closer to understanding which way to go.

Also, I've got a new question regarding this whole IPsec over NAT business.
I've been reading the notes of the previous NAT WG meeting:

>Marcus Leech (AD): IPSec WG will be chartered to deal with the
>interoperability issues.

To the working group: what does the above mean? I have not noticed
a change in the IPsec WG charter, will there be one? Is modifying IPsec
and IKE a legitimate work item of this WG for this particular purpose?

Jari

---

References:

• NAT and IPsec
• From: Jari Arkko <Jari.Arkko@lmf.ericsson.se>
• Re: NAT and IPsec
• From: Markus Stenberg <markus.stenberg@ssh.com>
• Re: NAT and IPsec
• From: Jari Arkko <Jari.Arkko@lmf.ericsson.se>
• Re: NAT and IPsec
• From: Markus Stenberg <mstenber@ssh.com>

---

• Prev by Date: Re: speed of HMAC vs. Rijndael-CBCMAC?
• Next by Date: Re: speed of HMAC vs. Rijndael-CBCMAC?
• Prev by thread: Re: NAT and IPsec
• Next by thread: Re: NAT and IPsec
• Index(es):
  • Main
  • Thread