[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT traversal clarification?



You shouldn't spend too much time reading this draft. We're hoping to
have the combined draft(s) out soon. ('We' includes SSH Communications.)

The section where this sentence is, is most confusing, but the likely intent
is that the NAT box in this case is the GW, thus it's concerned with SPIs.
The current draft or the new one does not require any specific handling 
by a NAT box.

Ari

Ly Loi wrote:
> 
> Hi, draft-huttunen-ipsec-esp-in-udp-01.txt, section 5 "IPSec over NAT
> Operation" has the following:
> It hits the NAT, and the NAT translates the src address, and source
> portcreates an entry for the SPI. When the reply comes back from X, the
> NAT maps the SPI from X with the SPI send from A. Now the NAT knows
> which internal host to send the packet to, and A gets it.
> Assuming that the text meant to say "... source port, and creates an
> entry ...", I'm not sure I understand why we're referring to the SPI
> here or how it's being used for the following reasons:
> 1. the outgoing SA spi differs from the incoming SA spi, so if a spi
> entry was created based on an outgoing pkt, this spi entry can't be used
> to process an incoming pkt.
> 2. having NAT look at the spi field violates the requirement that says
> NAT should be unaware of IPSEC (or may be I misunderstood the
> requirement?)
> 3. why is the spi needed here to map a pkt to an internal host? isn't
> the port mapping sufficient?
> Thanks,
> - Ly

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Integrated Solutions for Enterprise Security


Follow-Ups: References: