Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt

[Scott Fluhrer <sfluhrer@cisco.com>]

Looking through the above draft, we find the text (section 6):

"The control packets [SYN=1 or initial UDP packets] are decrypted
  at the [NAT] gateways and re-encrypted after NAT to achieve complete
  compatibility with NAT."

"The data packets are encrypted at the end hosts and are not
  decrypted at the gateways."


They appear to be requiring that the NAT gateways to share copies of
the IPSec keys with the end hosts.  If I am interpreting this right,
then:

- The fact that there are more than two systems with knowledge of the
   secret keys is not listed in the Security Considerations -- IMHO,
   it really should be

- The draft does not address how the key transport is to be done
   securely

- The draft cannot be implemented securely if you don't have any way
   to authenticate, or don't trust, the NAT gateway.

Could the author please confirm my interpretation, and address the
above concerns?


>A URL for this Internet-Draft is:
>http://www.ietf.org/internet-drafts/draft-shukla-ipsec-nat-qos-compatible-security-00.txt

-- 
scott

---

Follow-Ups:

• Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: "jshukla" <jshukla@trlokom.com>
• Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

• I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• From: Internet-Drafts@ietf.org

---

• Prev by Date: I-D ACTION:draft-heath-ipcomp-v44-01.txt
• Next by Date: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• Prev by thread: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• Next by thread: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
• Index(es):
  • Main
  • Thread