[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt

To: <ipsec@lists.tislabs.com>, "Scott Fluhrer" <sfluhrer@cisco.com>
Subject: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
From: "jshukla" <jshukla@trlokom.com>
Date: Mon, 13 Nov 2000 17:18:15 -0800
References: <5.0.0.25.0.20001113115929.00a8ceb0@omega>
Sender: owner-ipsec@lists.tislabs.com

----- Original Message -----
From: "Scott Fluhrer" <sfluhrer@cisco.com>
To: <ipsec@lists.tislabs.com>
Sent: Monday, November 13, 2000 12:29 PM
Subject: Re: I-D
ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt

> Looking through the above draft, we find the text (section 6):
>
> "The control packets [SYN=1 or initial UDP packets] are decrypted
>   at the [NAT] gateways and re-encrypted after NAT to achieve complete
>   compatibility with NAT."
>
> "The data packets are encrypted at the end hosts and are not
>   decrypted at the gateways."
>
>
> They appear to be requiring that the NAT gateways to share copies of
> the IPSec keys with the end hosts.  If I am interpreting this right,
> then:
>

No. The keys and SAs used by the end host to encrypt/decrypt
the data packets are not shared with the gateways.

There is a separate channel for securely transmitting the
control packets (just read further down the same section).

quote---

 " Typically separate secure channels are used for communicating the
   control and data packets because the control packets are decrypted
   at the gateways. This creates extra overhead of establishing
   security associations and key exchange for the control packets, but
   is necessary for end-to-end secure communication over the public
   networks. Since the control packets are few compared to data
   packets, using a single secure channel for all control packets
   communication between two hosts can mitigate the extra overhead. In
   LANs it is possible to use the same secure channel for both because
   the gateways do not affect these packets."

end quote---

This picture might help understand how the control packets
are transmitted.

          k_1, SA_1           k_2, SA_2                k_3, SA_2
host A --------- Gateway A -----------Gateway B ---------host B

encrypt control
packet using
k_1, SA_1

                     decrypt using k_1, SA_1
                     NAT
                     encrypt using k_2, SA_2

                                                    decrypt using k_2, SA_2
                                                    NAT
                                                    encrypt using k_3, SA_3

decrypt using

k_3, SA_3

----------------------------------------------------------------------------
----
For data packets

host A ---------Gateway A --------------Gateway B-------host B

encrypt using ----NAT--------------------NAT---------------decrypt
k_data, SA_data                                                      using

k_data, SA_data

regards,
Jayant

References:

Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt

From: Scott Fluhrer <sfluhrer@cisco.com>

Prev by Date: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
Next by Date: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
Prev by thread: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
Next by thread: Re: I-D ACTION:draft-shukla-ipsec-nat-qos-compatible-security-00.txt
Index(es):
- Main
- Thread