[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT

To: "'jshukla'" <jshukla@earthlink.net>, "Chen, David" <dchen@ellacoya.com>, "'Derek Atkins'" <warlord@mit.edu>
Subject: RE: IPSEC Security Gateways & NAT
From: "Chen, David" <dchen@ellacoya.com>
Date: Mon, 11 Jun 2001 16:12:01 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Jayant,

It seems works if
IKE is encapsulated in an UDP/IP with the same as IKE's original 500/IP at
initiator and the responder do not check the outer IP and knows to
decapsulate the outer UDP/IP.
Extra header consumes bandwidth, but it is signal; therefore, can trade for
security through NAPT.

For ESPoUDP, 
it is desirable having maping as TCP->TCP and UDP->UDP and 
OtherProtocol->OtherProtocol from inner to outer and not just uniformly
using 
UDP.

Furthermore, for IP QoS, 
it seems only DS (TOS byte) is significant for IP packets classification.
It also can be copied from inner to outer.

It seems, for traverse NAPT securely, the answer is
copying all the inner encrypted header to outer (except addresses and
checksum)?

Regards,

--- David




-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net]
Sent: Monday, June 11, 2001 3:36 PM
To: Chen, David; 'Derek Atkins'
Cc: ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT



----- Original Message ----- 
From: "Chen, David" <dchen@ellacoya.com>
To: "'Derek Atkins'" <warlord@mit.edu>; "jshukla" <jshukla@earthlink.net>
Cc: <ipsec@lists.tislabs.com>
Sent: Monday, June 11, 2001 10:59 AM
Subject: RE: IPSEC Security Gateways & NAT


> Derek and Jayant,
> What if IKE packet is tunneled by encapsulating the UDP/IP?
> It seems the ESPoUDP + IKEoUDP (for IPSec) will works fine with NAPT 
> under any circumstance?
> 
> --- David
> 

Simple awnser is yes, but a whole lot of other 
work needs to be done. 


1) There needs to be a mapping at the
receiver (inner IP addresses and port #s to outer
IP addresses and port #s). This mapping is used
to send the packets back to the initiator. 

2) You can reverse the effect of NAT with
this mapping and therefore the subsequent packets
don't have to have the extra IP/UDP headers.

3) Its a bad idea to just use UDP for encapsulation 
because you are mapping TCP/UDP services to
UDP. This can lead to incompatibility with QoS
protocols and will make BITW implementations
difficult. There might be problems with routing
fragmented packets and ICMP messages. 
A better solution is to use TCP -> TCP and 
UDP-> UDP encapsulation.

etc. etc. 

For more information you can read our draft on 
NAT and QoS compatible end-2-end security. We 
have a new and more detailed draft coming out soon.

regards,
Jayant

Follow-Ups:

Re: IPSEC Security Gateways & NAT

From: "jshukla" <jshukla@earthlink.net>

Re: IPSEC Security Gateways & NAT

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: IPSEC Security Gateways & NAT
Next by Date: Re: digital certificate
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: Re: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread