Re: IPSEC Security Gateways & NAT

[Ari Huttunen <Ari.Huttunen@F-Secure.com>]

"Steven M. Bellovin" wrote:
> 
> In message <3.0.5.32.20010607143550.047a3380@smtp.datafellows.com>, Joern Sierw
> ald writes:
> 
> >>
> >
> >The consensus among IPsec vendors is ESPoUDP. You use tunnel mode,
> >and insert a UDP header in front of the ESP header. This is dead simple
> >and works with normal NAT boxes.
> >
> 
> I don't know that I'd use the word "consensus" -- and I would note that
> that SSH has claimed assorted patent rights to the concept, at least as
> explained in draft-stenberg-ipsec-nat-traversal-*.txt.

Consensus is perhaps too strong a word, but the suggestions I've seen are
of two kinds: they modify the NAT box, or they put a UDP header in front of
the ESP (or AH) header. If one has the assumption that NAT boxes can't be
modified, I'd say the concensus is on UDP encapsulation.

I've seen two SSH patent applications on this, and they didn't (seem to)
cover simple UDP header in front of ESP header. They cover a lot of other
things, but not that. The reason is probably that some hardware gateway
vendors have had this in for years. I don't know exactly how long, but that's
what someone told me in San Diego last fall.

Ari

-- 
Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Integrated Solutions for Enterprise Security

---

References:

• Re: IPSEC Security Gateways & NAT
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: RE: IPSEC Security Gateways & NAT
• Next by Date: Re: IPSEC Security Gateways & NAT
• Prev by thread: RE: IPSEC Security Gateways & NAT
• Next by thread: RE: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread