[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal



How can such demon-spawn even use SPI for ESP/AH messages?  The
SPI is encrypted within IKE and is not symmetric, so when the
NAT box receives a message for SPI X, how does it know where
to route it?

Boxes that do this are just plain broken and should be
completely nuked from orbit.

-derek

"Jayant Shukla" <jshukla@trlokom.com> writes:

> Yes, it is the same issue that causes several problems. IPsec pass-thru
> enabled routers monitor the cookie to route the IKE messages (they use
> cookies for IKE and SPI for IPsec messages). 
> 
> Putting 8 bytes of zero where the cookie should be creates problems for
> IPsec messages as they might be routed to the wrong host. In keep-alive
> messages there is nothing where the cookie should be and so they get
> dropped.
> 
> 
> Regards,
> Jayant
> 
> 
> 
> > -----Original Message-----
> > From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]
> > On Behalf Of Takaoka Takayoshi
> > Sent: Friday, February 22, 2002 1:43 AM
> > To: 'Jayant Shukla'; ipsec@lists.tislabs.com
> > Subject: RE: NAT Traversal
> > 
> > That means, a certain router drop the IKE keep-alive packet, right?
> > I need more information for this issue.
> > 
> > Best regards,
> > Taka
> > 
> > -----Original Message-----
> > From: Jayant Shukla [mailto:jshukla@trlokom.com]
> > Sent: Friday, February 22, 2002 1:18 PM
> > To: ipsec@lists.tislabs.com
> > Subject: NAT Traversal
> > 
> > 
> > 
> > The proposed NAT traversal method runs into problems with some routers
> > that
> > monitor the IKE cookies. What steps are being taken to overcome this
> > problem?
> > 
> > Regards,
> > Jayant
> > 
> > 
> 
> 
> 

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com