[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
From: "Mason, David" <David_Mason@nai.com>
Date: Tue, 10 Jul 2001 08:53:16 -0700
Sender: owner-ipsec@lists.tislabs.com

I think the burden of fixing the TCP/UDP header checksums (and any contained
protocols that have been broken by NAT - section 3.1.2) would be better
placed if the side that is behind the NAT device is in charge of fixing it
(for their address).  This means that this function would sometimes be
performed as part of encapsulation (pre-fixing) as well as decapsulation
(post-fixing).  The reason that I suggest this is that the common case is
that the side behind the NAT device (usually a VPN client) generally will
have only one (or a very small number) of active IPsec links, whereas the
other end (usually a gateway/server) will have perhaps thousands of active
IPsec links.  The impact on the client of having to always do the transport
mode checksum fixing will be minimal, whereas the benefit to the
server/gateway could be significant.

-dave

Prev by Date: ICSA Certification criteria
Next by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Prev by thread: Re: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Index(es):
- Main
- Thread