[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT

To: "'jshukla'" <jshukla@earthlink.net>, "Chen, David" <dchen@ellacoya.com>, "'Derek Atkins'" <warlord@mit.edu>
Subject: RE: IPSEC Security Gateways & NAT
From: "Chen, David" <dchen@ellacoya.com>
Date: Tue, 12 Jun 2001 10:46:42 -0400
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Jayant,
In the Shukla's draft seems only talking about UDP(inner)->UDP(outer) and
TCP->TCP mapping.

What to do with other protocols in the IP "protocol" field?

It seems to me that, to be simple, all we need is
duplicate (not mapping) the original IP's header for tunneling before
encrypting
the inner IP packet.   
Afterward, forward this tunneled IP packet to NAT device(s)
to reach the peer.  
If there is no NAT device in between IPSec peers, the tunneling will be
redundant. 

However, we can yet have another IPSec tunneling protocol for signaling to
decide if this pair of IPSec peers need tunneling. 
(if the first received packet's inner SIP is the same as outer SIP...)

Regards,

--- David

-----Original Message-----
From: jshukla [mailto:jshukla@earthlink.net]
Sent: Monday, June 11, 2001 7:22 PM
To: Chen, David; 'Derek Atkins'
Cc: ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT



----- Original Message -----
From: "Chen, David" <dchen@ellacoya.com>


> Jayant,
>
> It seems works if
> IKE is encapsulated in an UDP/IP with the same as IKE's original 500/IP at
> initiator and the responder do not check the outer IP and knows to
> decapsulate the outer UDP/IP.

Yes, but the information from the outer header is needed
to redirect the replies properly.

> Extra header consumes bandwidth, but it is signal; therefore, can trade
for
> security through NAPT.
>

If you do it only for the first packet, then you don't even waste
much bandwidth.

> For ESPoUDP,
> it is desirable having maping as TCP->TCP and UDP->UDP and
> OtherProtocol->OtherProtocol from inner to outer and not just uniformly
> using
> UDP.
>

Yes, it is desirable to have mapping TCP-> TCP and UDP->UDP,
but then it is *no longer* ESPoUDP. For them, it is TCP/UDP->UDP.
It is in NGISec that you have TCP->TCP and UDP->UDP.

http://search.ietf.org/internet-drafts/draft-shukla-ipsec-nat-qos-compatible
-security-00.txt


> Furthermore, for IP QoS,
> it seems only DS (TOS byte) is significant for IP packets classification.
> It also can be copied from inner to outer.
>

While DS may be sufficient in some cases, it is
highly desirable to have per-flow based QoS.
With TCP->TCP and UDP->UDP mapping and
the transport layer header visible in the clear, we
can support per-flow (application level) based QoS.

> It seems, for traverse NAPT securely, the answer is
> copying all the inner encrypted header to outer (except addresses and
> checksum)?
>

In short, yes. As long as you have a mechanism for
decapsulating the packets with extra headers,
generating the mappings from inner headers to outer headers,
and using the mappings to redirect the outbound packets
appropriately.

regards,
Jayant

Prev by Date: RE: IPSEC Security Gateways & NAT
Next by Date: Re: IPSEC Security Gateways & NAT
Prev by thread: Re: IPSEC Security Gateways & NAT
Next by thread: RE: IPSEC Security Gateways & NAT
Index(es):
- Main
- Thread