[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT traversal clarification?



> You shouldn't spend too much time reading this draft. We're hoping to
> have the combined draft(s) out soon. ('We' includes SSH Communications.)

Speaking of which -- can you guess an approximate date? (1 month, 2
months...?)

-g

> The section where this sentence is, is most confusing, but the
> likely intent
> is that the NAT box in this case is the GW, thus it's concerned with SPIs.
> The current draft or the new one does not require any specific handling
> by a NAT box.
>
> Ari
>
> Ly Loi wrote:
> >
> > Hi, draft-huttunen-ipsec-esp-in-udp-01.txt, section 5 "IPSec over NAT
> > Operation" has the following:
> > It hits the NAT, and the NAT translates the src address, and source
> > portcreates an entry for the SPI. When the reply comes back from X, the
> > NAT maps the SPI from X with the SPI send from A. Now the NAT knows
> > which internal host to send the packet to, and A gets it.
> > Assuming that the text meant to say "... source port, and creates an
> > entry ...", I'm not sure I understand why we're referring to the SPI
> > here or how it's being used for the following reasons:
> > 1. the outgoing SA spi differs from the incoming SA spi, so if a spi
> > entry was created based on an outgoing pkt, this spi entry can't be used
> > to process an incoming pkt.
> > 2. having NAT look at the spi field violates the requirement that says
> > NAT should be unaware of IPSEC (or may be I misunderstood the
> > requirement?)
> > 3. why is the spi needed here to map a pkt to an internal host? isn't
> > the port mapping sufficient?
> > Thanks,
> > - Ly
>
> --
> Ari Huttunen                   phone: +358 9 2520 0700
> Software Architect             fax  : +358 9 2520 5001
>
> F-Secure Corporation       http://www.F-Secure.com
>
> F(ully)-Secure products: Integrated Solutions for Enterprise Security
>



References: