[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT traversal clarification?




----- Original Message ----- 
From: "Ly Loi" <lll@tahoenetworks.com>

> Hi, draft-huttunen-ipsec-esp-in-udp-01.txt, section 5 "IPSec over NAT
> Operation" has the following:
> It hits the NAT, and the NAT translates the src address, and source
> portcreates an entry for the SPI. When the reply comes back from X, the
> NAT maps the SPI from X with the SPI send from A. Now the NAT knows
> which internal host to send the packet to, and A gets it. 
> Assuming that the text meant to say "... source port, and creates an
> entry ...", I'm not sure I understand why we're referring to the SPI
> here or how it's being used for the following reasons:
> 
> 

Moreover they have only described the 
host-to-network scenario and skipped the
host-to-host scenario in Section 5. I tried
to work out the host-to-host scenario in
case of a VPN and am having some difficulties.

Consider A 10.1.1.1 on network X 172.1.1.1 and
B 10.0.0.1 on network Y 172.0.0.2

A      X <----------------------- >Y    B

when A wants to communicate with B in a VPN
environment, then the UDP encapsulation of ESP
in IPSec transport mode does not work. You
can easily figure it out. 

Now lets see what happens in the tunnel mode.
Say A sends a packet (src IP=10.1.1.1, dst IP = 10.0.0.1, 
src pt = 601, dst pt = 79) to B. Format of the 
packet is

+--------------------------------------------------+
| IP | UDP| ESP| IP | UDP/TCP| data| AH |
+--------------------------------------------------+
                             encrypted
                        <---------------------->

Gateway at X (172.1.1.1) has to replace the
destination address and perform NAT. NAT
changes the src IP address and src port #.
 
New packet information could be like this,
(src IP=172.1.1.1, dst IP = 172.0.0.2, src pt = 602, dst pt = 79). 

When gateway at Y (172.0.0.2) receives
this packet, how does it forward the packet to B? 
Because the IP address is inside the encrypted 
region of the packet, Y cannot look at it. Ofcourse
we are assuming a true end-to-end scenario where
the end-host (B) has the key required to decrypt 
the packet and does not share it with Y.

Looks like a problem to me!

regards,
Jayant




References: