[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Derek Atkins <derek@ihtfp.com>
Subject: Re: NAT Traversal
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Mon, 25 Feb 2002 11:43:45 -0800 (PST)
cc: Jayant Shukla <jshukla@trlokom.com>, <ipsec@lists.tislabs.com>
In-Reply-To: <sjmzo1xsem8.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com

On 25 Feb 2002, Derek Atkins wrote:
> "Jayant Shukla" <jshukla@trlokom.com> writes:
> >
> > What makes you think the client is involved? IPsec pass-thru implemented
> > in most low end NAT boxes is not complete RSIP as that would require
> > modifications to client and the gateway.
>
> See what I said before about demon-spawn!!!  NAT traversal via IPsec
> pass-thru[sic] is just plain wrong, broken, and lots of other words
> that I don't want to use in mixed company.
>

NAT translates all protocols in a transparent manner using some protocol
parameters, Eg. ports in case of UDP and TCP. I don't see why we should
not try and apply a similar model to IPsec, using cookies and SPIs.

Sure the SPIs are encrypted during IKE negotiation and the NAT box cannot
see which SPIs are a pair. But if we somehow relate one SPI to another in
each pair, the NAT box can translate ESP traffic with a high probability
of success.

Well, it's not pretty, but that is the inherent nature of NAT itself.

    chinna

Follow-Ups:
- Re: NAT Traversal
  - From: Markus Stenberg <mstenber@ssh.com>

References:
- Re: NAT Traversal
  - From: "Derek Atkins" <derek@ihtfp.com>

Prev by Date: RE: Length of pre-shared key
Next by Date: RE: Length of pre-shared key
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread