[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
----- Original Message -----
From: "Scott Fluhrer" <sfluhrer@cisco.com>
To: <ipsec@lists.tislabs.com>
Sent: Monday, November 13, 2000 12:29 PM
Subject: Re: I-D
ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
> Looking through the above draft, we find the text (section 6):
>
> "The control packets [SYN=1 or initial UDP packets] are decrypted
> at the [NAT] gateways and re-encrypted after NAT to achieve complete
> compatibility with NAT."
>
> "The data packets are encrypted at the end hosts and are not
> decrypted at the gateways."
>
>
> They appear to be requiring that the NAT gateways to share copies of
> the IPSec keys with the end hosts. If I am interpreting this right,
> then:
>
No. The keys and SAs used by the end host to encrypt/decrypt
the data packets are not shared with the gateways.
There is a separate channel for securely transmitting the
control packets (just read further down the same section).
quote---
" Typically separate secure channels are used for communicating the
control and data packets because the control packets are decrypted
at the gateways. This creates extra overhead of establishing
security associations and key exchange for the control packets, but
is necessary for end-to-end secure communication over the public
networks. Since the control packets are few compared to data
packets, using a single secure channel for all control packets
communication between two hosts can mitigate the extra overhead. In
LANs it is possible to use the same secure channel for both because
the gateways do not affect these packets."
end quote---
This picture might help understand how the control packets
are transmitted.
k_1, SA_1 k_2, SA_2 k_3, SA_2
host A --------- Gateway A -----------Gateway B ---------host B
encrypt control
packet using
k_1, SA_1
decrypt using k_1, SA_1
NAT
encrypt using k_2, SA_2
decrypt using k_2, SA_2
NAT
encrypt using k_3, SA_3
decrypt using
k_3, SA_3
----------------------------------------------------------------------------
----
For data packets
host A ---------Gateway A --------------Gateway B-------host B
encrypt using ----NAT--------------------NAT---------------decrypt
k_data, SA_data using
k_data, SA_data
regards,
Jayant
References: