[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: doubt on draft-ietf-ipsec-nat-t-ike-01.txt
By sending the Destination you can tell the Initiator whether they are
behind a NAT. The initiator cannot tell on their own without help.
If the initiator gets a NAT_T payload that says "here is the hash of
_your_ IP/Port as I received it" and the hash doesn't match what the
initiator hashed for its own IP/Port, then now it knows it's behind a
NAT.
-derek
"Lokesh" <lokeshnb@intotoinc.com> writes:
> Hi All,
> Following is a doubt regrading ID draft-ietf-ipsec-nat-t-ike-01
> It proposes, that sending party should calculate NAT-D paylods for
> both Destination and source(its own) IP address and port pairs.
> that is HASH = HASH( CKY-I | CKY-R | IP | Port)
> So in Normal case,(host is not multihomed) there will be
> two NAT-D payloads.
> I want to know why it is proposed to send 2 NAT-D payloads?
> For me , it looks that, there is not need for First NAT-D payload
> which is Hash on Destination IP and port.
> because Destination IP and Ports are not going to change in NAT,
> only Source ip and source ports are changed. sending party can send
> only Second NAT-D payload (HASH on its own IP and src port) ,
> and receiving can determine occurance of NAT as follows.
> take src ip and src port selectors from incoming packet,
> prepare HASH on them and compare with HASH or NAT-D payload sent
> by other peer. If match is ok, there is no NAT, if it fails, there is a NAT.
>
> Is that Ok? or Am I missing some point here? if so correct me please.
>
> Thanks
> -Lokesh
>
>
>
>
>
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available