[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

Note that RSIP != NAT (per se).  Since RSIP requires interaction
between the sending client and the translator gateway, I don't see a
problem with the NAT traversal drafts.  If the client is RSIPsec
aware, then it does not need IPsec NAT traversal (because it knows
what the external address will be).  So, what's the problem?  If it's
using RSIP, it doesn't use NAT Traversal.  It's sort of like if you're
using TCP on a socket, you can't use UDP on that socket.

So, again, I don't see the problem.  There are two protocols that
effectively do the same thing; you just cannot use them both at the
same time.  However, the client KNOWS when it's using one of them so
it can make the choice about which one to use.

-derek

"Jayant Shukla" <jshukla@trlokom.com> writes:

> > 
> > How can such demon-spawn even use SPI for ESP/AH messages?  The
> > SPI is encrypted within IKE and is not symmetric, so when the
> > NAT box receives a message for SPI X, how does it know where
> > to route it?
> > 
> 
> What demon-spawn?? That is the RSIP method and it is widely deployed.
> I think the following link should help you understand how it works. If
> you still don't get it, do feel free to ask questions. 
> 
> http://www.ietf.org/proceedings/99jul/slides/nat-rsip-99jul/sld011.htm 
> 
> 
> > Boxes that do this are just plain broken and should be
> > completely nuked from orbit.
> > 
> > -derek
> 
> How did you figure that out? I don't think you would have said that if
> you understood the RSIP method. If anything should be called demon-spawn
> or broken, it is the NAT traversal draft. Moreover, after you have
> examined the NAT Traversal draft you might also notice several
> problems/drawbacks it has. 
> 
> 
> Regards,
> Jayant
> 
> > 
> > "Jayant Shukla" <jshukla@trlokom.com> writes:
> > 
> > > Yes, it is the same issue that causes several problems. IPsec
> pass-thru
> > > enabled routers monitor the cookie to route the IKE messages (they
> use
> > > cookies for IKE and SPI for IPsec messages).
> > >
> > > Putting 8 bytes of zero where the cookie should be creates problems
> for
> > > IPsec messages as they might be routed to the wrong host. In
> keep-alive
> > > messages there is nothing where the cookie should be and so they get
> > > dropped.
> > >
> > >
> > > Regards,
> > > Jayant
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: owner-ipsec@lists.tislabs.com
> > > [mailto:owner-ipsec@lists.tislabs.com]
> > > > On Behalf Of Takaoka Takayoshi
> > > > Sent: Friday, February 22, 2002 1:43 AM
> > > > To: 'Jayant Shukla'; ipsec@lists.tislabs.com
> > > > Subject: RE: NAT Traversal
> > > >
> > > > That means, a certain router drop the IKE keep-alive packet,
> right?
> > > > I need more information for this issue.
> > > >
> > > > Best regards,
> > > > Taka
> > > >
> > > > -----Original Message-----
> > > > From: Jayant Shukla [mailto:jshukla@trlokom.com]
> > > > Sent: Friday, February 22, 2002 1:18 PM
> > > > To: ipsec@lists.tislabs.com
> > > > Subject: NAT Traversal
> > > >
> > > >
> > > >
> > > > The proposed NAT traversal method runs into problems with some
> routers
> > > > that
> > > > monitor the IKE cookies. What steps are being taken to overcome
> this
> > > > problem?
> > > >
> > > > Regards,
> > > > Jayant
> > > >
> > > >
> > >
> > >
> > >
> > 
> > --
> >        Derek Atkins
> >        Computer and Internet Security Consultant
> >        derek@ihtfp.com             www.ihtfp.com
> 
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com