Re: IPSEC Security Gateways & NAT

["jshukla" <jshukla@earthlink.net>]

----- Original Message ----- 
From: "Chen, David" <dchen@ellacoya.com>
To: "'Derek Atkins'" <warlord@mit.edu>; "jshukla" <jshukla@earthlink.net>
Cc: <ipsec@lists.tislabs.com>
Sent: Monday, June 11, 2001 10:59 AM
Subject: RE: IPSEC Security Gateways & NAT


> Derek and Jayant,
> What if IKE packet is tunneled by encapsulating the UDP/IP?
> It seems the ESPoUDP + IKEoUDP (for IPSec) will works fine with NAPT 
> under any circumstance?
> 
> --- David
> 

Simple awnser is yes, but a whole lot of other 
work needs to be done. 


1) There needs to be a mapping at the
receiver (inner IP addresses and port #s to outer
IP addresses and port #s). This mapping is used
to send the packets back to the initiator. 

2) You can reverse the effect of NAT with
this mapping and therefore the subsequent packets
don't have to have the extra IP/UDP headers.

3) Its a bad idea to just use UDP for encapsulation 
because you are mapping TCP/UDP services to
UDP. This can lead to incompatibility with QoS
protocols and will make BITW implementations
difficult. There might be problems with routing
fragmented packets and ICMP messages. 
A better solution is to use TCP -> TCP and 
UDP-> UDP encapsulation.

etc. etc. 

For more information you can read our draft on 
NAT and QoS compatible end-2-end security. We 
have a new and more detailed draft coming out soon.

regards,
Jayant

---

References:

• RE: IPSEC Security Gateways & NAT
• From: "Chen, David" <dchen@ellacoya.com>

---

• Prev by Date: prf's in IKE Phase 2
• Next by Date: RE: IPSEC Security Gateways & NAT
• Prev by thread: RE: IPSEC Security Gateways & NAT
• Next by thread: RE: IPSEC Security Gateways & NAT
• Index(es):
  • Main
  • Thread