[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why can't ESP authenticate IP header?

To: "lokesh" <lokeshnb@intotoinc.com>
Subject: Re: Why can't ESP authenticate IP header?
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Tue, 25 Sep 2001 10:44:48 -0400
Cc: "Stephen Kent" <kent@bbn.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

In message <002101c1457e$62e73540$ae0510ac@roc.com>, "lokesh" writes:
>This is a multi-part message in MIME format.
>
>------=_NextPart_000_001E_01C145AC.75278420
>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>
>Re: Why can't ESP authenticate IP header?As noted, ESP coverage of =
>selected header fields would increase complexity and reduce performance. =
>It also would create even more circumstances where NAT could interfere =
>with IPsec use. Today, using ESP in tunnel mode can be made to work with =
>NAT, but if the outer S/D IP addresses were covered, that capability (I =
>hesitate to call it a feature) would go away.
>
>  Steve,
>
>  As for as I know, in  many implementations, NAT is done prior to ipsec =
>processing at the sending end, and Ipsec processing is done before NAT =
>at the receiving end.=20
>  Are there situvations where NAT would interfere in ipsec processing ? =
>if so, kindly will  you brief them?
>
>  Assuming there will be situations where NAT will interfere with IPsec =
>processing, how AH in transport mode will work there?=20

Read draft-aboba-nat-ipsec-04.txt for a description of the interactions 
between IPsec and NAT.


		--Steve Bellovin, http://www.research.att.com/~smb
				  http://www.wilyhacker.com

Prev by Date: Re: Why can't ESP authenticate IP header?
Next by Date: AES with SHA-2
Prev by thread: Re: Why can't ESP authenticate IP header?
Next by thread: ESP and AH questions
Index(es):
- Main
- Thread