[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Security Gateways & NAT
----- Original Message -----
From: "Chen, David" <dchen@ellacoya.com>
> Jayant,
>
> It seems works if
> IKE is encapsulated in an UDP/IP with the same as IKE's original 500/IP at
> initiator and the responder do not check the outer IP and knows to
> decapsulate the outer UDP/IP.
Yes, but the information from the outer header is needed
to redirect the replies properly.
> Extra header consumes bandwidth, but it is signal; therefore, can trade
for
> security through NAPT.
>
If you do it only for the first packet, then you don't even waste
much bandwidth.
> For ESPoUDP,
> it is desirable having maping as TCP->TCP and UDP->UDP and
> OtherProtocol->OtherProtocol from inner to outer and not just uniformly
> using
> UDP.
>
Yes, it is desirable to have mapping TCP-> TCP and UDP->UDP,
but then it is *no longer* ESPoUDP. For them, it is TCP/UDP->UDP.
It is in NGISec that you have TCP->TCP and UDP->UDP.
http://search.ietf.org/internet-drafts/draft-shukla-ipsec-nat-qos-compatible
-security-00.txt
> Furthermore, for IP QoS,
> it seems only DS (TOS byte) is significant for IP packets classification.
> It also can be copied from inner to outer.
>
While DS may be sufficient in some cases, it is
highly desirable to have per-flow based QoS.
With TCP->TCP and UDP->UDP mapping and
the transport layer header visible in the clear, we
can support per-flow (application level) based QoS.
> It seems, for traverse NAPT securely, the answer is
> copying all the inner encrypted header to outer (except addresses and
> checksum)?
>
In short, yes. As long as you have a mechanism for
decapsulating the packets with extra headers,
generating the mappings from inner headers to outer headers,
and using the mappings to redirect the outbound packets
appropriately.
regards,
Jayant
> Regards,
>
> --- David
>
>
>
>
> -----Original Message-----
> From: jshukla [mailto:jshukla@earthlink.net]
> Sent: Monday, June 11, 2001 3:36 PM
> To: Chen, David; 'Derek Atkins'
> Cc: ipsec@lists.tislabs.com
> Subject: Re: IPSEC Security Gateways & NAT
>
>
>
> ----- Original Message -----
> From: "Chen, David" <dchen@ellacoya.com>
> To: "'Derek Atkins'" <warlord@mit.edu>; "jshukla" <jshukla@earthlink.net>
> Cc: <ipsec@lists.tislabs.com>
> Sent: Monday, June 11, 2001 10:59 AM
> Subject: RE: IPSEC Security Gateways & NAT
>
>
> > Derek and Jayant,
> > What if IKE packet is tunneled by encapsulating the UDP/IP?
> > It seems the ESPoUDP + IKEoUDP (for IPSec) will works fine with NAPT
> > under any circumstance?
> >
> > --- David
> >
>
> Simple awnser is yes, but a whole lot of other
> work needs to be done.
>
>
> 1) There needs to be a mapping at the
> receiver (inner IP addresses and port #s to outer
> IP addresses and port #s). This mapping is used
> to send the packets back to the initiator.
>
> 2) You can reverse the effect of NAT with
> this mapping and therefore the subsequent packets
> don't have to have the extra IP/UDP headers.
>
> 3) Its a bad idea to just use UDP for encapsulation
> because you are mapping TCP/UDP services to
> UDP. This can lead to incompatibility with QoS
> protocols and will make BITW implementations
> difficult. There might be problems with routing
> fragmented packets and ICMP messages.
> A better solution is to use TCP -> TCP and
> UDP-> UDP encapsulation.
>
> etc. etc.
>
> For more information you can read our draft on
> NAT and QoS compatible end-2-end security. We
> have a new and more detailed draft coming out soon.
>
> regards,
> Jayant
References: