[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: "'Derek Atkins'" <derek@ihtfp.com>
Subject: RE: NAT Traversal
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Fri, 22 Feb 2002 22:18:46 -0800
Cc: "'Takaoka Takayoshi'" <ttakaoka@nvc.co.jp>, <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <sjm8z9k3gyf.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com

> 
> How can such demon-spawn even use SPI for ESP/AH messages?  The
> SPI is encrypted within IKE and is not symmetric, so when the
> NAT box receives a message for SPI X, how does it know where
> to route it?
> 

What demon-spawn?? That is the RSIP method and it is widely deployed.
I think the following link should help you understand how it works. If
you still don't get it, do feel free to ask questions. 

http://www.ietf.org/proceedings/99jul/slides/nat-rsip-99jul/sld011.htm 


> Boxes that do this are just plain broken and should be
> completely nuked from orbit.
> 
> -derek

How did you figure that out? I don't think you would have said that if
you understood the RSIP method. If anything should be called demon-spawn
or broken, it is the NAT traversal draft. Moreover, after you have
examined the NAT Traversal draft you might also notice several
problems/drawbacks it has. 


Regards,
Jayant

> 
> "Jayant Shukla" <jshukla@trlokom.com> writes:
> 
> > Yes, it is the same issue that causes several problems. IPsec
pass-thru
> > enabled routers monitor the cookie to route the IKE messages (they
use
> > cookies for IKE and SPI for IPsec messages).
> >
> > Putting 8 bytes of zero where the cookie should be creates problems
for
> > IPsec messages as they might be routed to the wrong host. In
keep-alive
> > messages there is nothing where the cookie should be and so they get
> > dropped.
> >
> >
> > Regards,
> > Jayant
> >
> >
> >
> > > -----Original Message-----
> > > From: owner-ipsec@lists.tislabs.com
> > [mailto:owner-ipsec@lists.tislabs.com]
> > > On Behalf Of Takaoka Takayoshi
> > > Sent: Friday, February 22, 2002 1:43 AM
> > > To: 'Jayant Shukla'; ipsec@lists.tislabs.com
> > > Subject: RE: NAT Traversal
> > >
> > > That means, a certain router drop the IKE keep-alive packet,
right?
> > > I need more information for this issue.
> > >
> > > Best regards,
> > > Taka
> > >
> > > -----Original Message-----
> > > From: Jayant Shukla [mailto:jshukla@trlokom.com]
> > > Sent: Friday, February 22, 2002 1:18 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: NAT Traversal
> > >
> > >
> > >
> > > The proposed NAT traversal method runs into problems with some
routers
> > > that
> > > monitor the IKE cookies. What steps are being taken to overcome
this
> > > problem?
> > >
> > > Regards,
> > > Jayant
> > >
> > >
> >
> >
> >
> 
> --
>        Derek Atkins
>        Computer and Internet Security Consultant
>        derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: NAT Traversal
  - From: "'Derek Atkins'" <derek@ihtfp.com>

References:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: RE: NAT Traversal
Next by Date: RE: info on new nat-t
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread