RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

["Mason, David" <David_Mason@nai.com>]

Reiterating my point that support for AH adds (unnecessary) complexity:  The
steps outlined for AH Decapsulation in sections 3.7 and 3.9 will fail the
ICV verification check for every single packet.  There needs to be a step
inserted that changes the source and/or destination address in the outer IP
header to match the source/destination addresses that were used during the
encapsulation process. And then for the transport case, after step 5) change
the address(es) back.

In section 3.1.2, for step c) it is the destination address that has changed
for inbound packets to the side that's behind the NATing device.  And for
the uncommon case where both ends are behind NATing devices, both the source
and destination addresses will have changed.

-dave

---

Follow-Ups:

• Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• From: "jshukla" <jshukla@earthlink.net>

---

• Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Next by Date: ICSA Certification criteria
• Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Next by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
• Index(es):
  • Main
  • Thread