Re: doubt on draft-ietf-ipsec-nat-t-ike-01.txt

[Derek Atkins <warlord@mit.edu>]

By sending the Destination you can tell the Initiator whether they are
behind a NAT.  The initiator cannot tell on their own without help.
If the initiator gets a NAT_T payload that says "here is the hash of
_your_ IP/Port as I received it" and the hash doesn't match what the
initiator hashed for its own IP/Port, then now it knows it's behind a
NAT.

-derek

"Lokesh" <lokeshnb@intotoinc.com> writes:

> Hi All,
> Following is a doubt regrading ID draft-ietf-ipsec-nat-t-ike-01
> It proposes, that sending party should calculate NAT-D paylods for
> both Destination and source(its own) IP address and port pairs.
> that is HASH = HASH( CKY-I | CKY-R | IP | Port)
> So in Normal case,(host is not multihomed) there  will be
>  two NAT-D  payloads.
> I want to know why it is proposed to send 2 NAT-D payloads?
> For me , it looks that, there is not need for First NAT-D payload
> which is Hash on Destination IP and port.
> because Destination IP and Ports are not going to change in NAT,
> only Source ip and source ports are changed. sending party can send
> only Second NAT-D payload (HASH on its own IP and src port) ,
> and receiving can determine occurance of NAT as follows.
> take src ip and src port selectors from incoming packet,
> prepare HASH on them and compare with HASH or NAT-D payload sent
> by other peer. If match is ok, there is no NAT, if it fails, there is a NAT.
> 
> Is that Ok? or Am I   missing some point here? if so correct me please.
> 
> Thanks
> -Lokesh
> 
> 
> 
> 
> 
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available