[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT and IPsec

To: Ari Huttunen <Ari.Huttunen@F-Secure.com>, Joern Sierwald <joern.sierwald@F-Secure.com>
Subject: Re: NAT and IPsec
From: Pyda Srisuresh <srisuresh@yahoo.com>
Date: Sun, 22 Oct 2000 23:21:44 -0700 (PDT)
Cc: Jari Arkko <Jari.Arkko@lmf.ericsson.se>, bernarda@microsoft.com, mstenber@ssh.com, jarkko@piuha.net, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


--- Ari Huttunen <Ari.Huttunen@F-Secure.com> wrote:
> 
> Joern Sierwald wrote:
> > 
> > At 14:31 19.10.2000 +0300, Jari Arkko wrote:
> > >I have some questions and some issues I'd like to discuss.
> > >Here they are:
> > >
> > >* In terms of requirements, I think we'd be on the wrong path
> > >  if we put much effort in getting all IPsec and IKE modes
> > >  to work. I'd rather have a simple scheme that allows only
> > >  ESP and only TUNNEL mode and only ... than a complex scheme.
> > 
> > It should be noted that our (huttunen) scheme is a simple as
> > it possibly can be.
> 
> Almost.. It could have been made somewhat simpler but I was constrained
> by a couple of factors. The first factor was the IPR statement that
> appears in the Stenberg draft. I made the assumption that SSH had filed
> for a patent recently, and I tried not to use methods in my draft that
> would not be self-evident for everyone. Another factor is the way
> private numbers and payloads are allowed to be used in IKE. Having
> now read through that patent application (assuming there is only one),
> I'm in a position to create an even simpler draft that according to
> my understanding does not infringe on the patent, if there is to be
> one of course. This is my best understanding at this time, but I may
> of course be wrong. You must not use this paragraph in any legal decision
> to use or not use the draft that we've written.
> 
> I'll have more to say about this later as I suggest how my draft can
> be improved, but for now I'll just go through these messages and answer
> some points in them.
> 

Couple of questions:
    1. Sanity check: I believe, ESPUDP is a specific instance of a UDP
       application, when the destination/Source is set to 2746 or 2797. 
       Is this correct? The ESPUDP port apparently requires an ESP header
       to follow the UDP header, right? Does this ESPUDP  also mandate 
       that the UDP checksum field be turned off?     

    2. Assuming the above assertion is valid, the transport mode will not 
       work with TCP/UDP packets for NAPT for the follwing 2 reasons
       A. Checksum failure, as pointed out in the draft[section 6]
       B. 2 independent hosts in the same private domain could be
          using the same (source port, destination port) pair and the 
          external node will have no way to distinguish between the two.

    3. As for tunnel mode using ESPUDP port, I dont see the
       point of transporting private address across to an external
       domain. This is essentially moving the NAT function from possibly
       multiple private domains to a single external Node. This is very
       problematic and shouldnt be used, in my opinion.

Thanks.

cheers,
suresh

__________________________________________________
Do You Yahoo!?
Yahoo! Messenger - Talk while you surf!  It's FREE.
http://im.yahoo.com/

Follow-Ups:

Re: NAT and IPsec

From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

Prev by Date: RE: NAT and IPsec
Next by Date: Re: NAT and IPsec
Prev by thread: RE: NAT and IPsec
Next by thread: Re: NAT and IPsec
Index(es):
- Main
- Thread