[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
My understanding was that ESPinUDP == ESPoUDP which is basically an
encapsulation of ESP packets (_ANY_ ESP packet) in a UDP header. So,
you use UDP as the transport mechanism to get the ESP packet from host
A to host B through whatever NATs are in the way. The end-hosts
decapsulate the packets, and then process the ESP as they normally
would. This implies ALL protections and features you would get from
normal ESP.
The benefit is that this works 100% in a one-sided-NAT or Road-Warrior
system. E.g., if you have something like:
RW - NAT - <I-Inet> - SG
The Road Warrior can setup a NAT traversal by sending UDP packets
(that happen to contain ESP), and the SG can reply back to the host
(through the NAT) back to the original UDP port.
-derek
"Chen, David" <dchen@ellacoya.com> writes:
> Jayant,
> Does "ESPinUDP" apply to both transport and tunnel mode?
> Where is the draft?
> Thanks,
> --- David
>
> -----Original Message-----
> From: jshukla [mailto:jshukla@earthlink.net]
> Sent: Friday, June 08, 2001 2:00 PM
> To: Chen, David; ipsec@lists.tislabs.com
> Subject: Re: IPSEC Security Gateways & NAT
>
>
>
> ----- Original Message -----
> From: "Chen, David" <dchen@ellacoya.com>
>
> > Jayant,
> > Does the "ESPinUDP" mean UDP/IP encapsulate IPSec packets?
>
> Almost! ESPinUDP inserts an extra UDP header in IPSec packets.
> In IPSec, the ESP header follows the IP header. In ESPinUDP
> a UDP header follows the IP header and ESP header comes after
> that.
>
> IP header | UDP header | ESP header | encrypted payload
>
> regards,
> Jayant
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
References: