Re: IPSEC Security Gateways & NAT

["jshukla" <jshukla@earthlink.net>]

----- Original Message ----- 
From: "Derek Atkins" <warlord@mit.edu>


> Honestly, I'm not 100% sure how IKE works in this configuration.  At
> least in this method the initiator can be behind a NAT.  It's unclear
> how it would work if the responder is behind a NAT.  In the
> architecture I described, the initiator is behind a NAT but the
> responder is not.
> 

This is the only case that they discuss in their draft and
I am not sure that even this case works. My concern is
about the authenticating hash computation.

HASH_I = pfr(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)

since NAT changes the source IP address, the initiator gets
the value of HASH_I wrong. The only way, this problem can 
be solved is if the initiator knows how NAT translates the IP
address. If the ISP is also applying NAT, it may be impossible
for the initiator to get this information and will always compute
HASH_I incorrectly. Same applies to the responder. 

regards,
Jayant

---

Follow-Ups:

• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>

References:

• RE: IPSEC Security Gateways & NAT
• From: "Chen, David" <dchen@ellacoya.com>
• Re: IPSEC Security Gateways & NAT
• From: Derek Atkins <warlord@mit.edu>

---

• Prev by Date: Re: IPSEC Security Gateways & NAT
• Next by Date: digital certificate
• Prev by thread: Re: IPSEC Security Gateways & NAT
• Next by thread: Re: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread