[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
How can such demon-spawn even use SPI for ESP/AH messages? The
SPI is encrypted within IKE and is not symmetric, so when the
NAT box receives a message for SPI X, how does it know where
to route it?
Boxes that do this are just plain broken and should be
completely nuked from orbit.
-derek
"Jayant Shukla" <jshukla@trlokom.com> writes:
> Yes, it is the same issue that causes several problems. IPsec pass-thru
> enabled routers monitor the cookie to route the IKE messages (they use
> cookies for IKE and SPI for IPsec messages).
>
> Putting 8 bytes of zero where the cookie should be creates problems for
> IPsec messages as they might be routed to the wrong host. In keep-alive
> messages there is nothing where the cookie should be and so they get
> dropped.
>
>
> Regards,
> Jayant
>
>
>
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]
> > On Behalf Of Takaoka Takayoshi
> > Sent: Friday, February 22, 2002 1:43 AM
> > To: 'Jayant Shukla'; ipsec@lists.tislabs.com
> > Subject: RE: NAT Traversal
> >
> > That means, a certain router drop the IKE keep-alive packet, right?
> > I need more information for this issue.
> >
> > Best regards,
> > Taka
> >
> > -----Original Message-----
> > From: Jayant Shukla [mailto:jshukla@trlokom.com]
> > Sent: Friday, February 22, 2002 1:18 PM
> > To: ipsec@lists.tislabs.com
> > Subject: NAT Traversal
> >
> >
> >
> > The proposed NAT traversal method runs into problems with some routers
> > that
> > monitor the IKE cookies. What steps are being taken to overcome this
> > problem?
> >
> > Regards,
> > Jayant
> >
> >
>
>
>
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com