[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
On 25 Feb 2002, Derek Atkins wrote:
> "Jayant Shukla" <jshukla@trlokom.com> writes:
> >
> > What makes you think the client is involved? IPsec pass-thru implemented
> > in most low end NAT boxes is not complete RSIP as that would require
> > modifications to client and the gateway.
>
> See what I said before about demon-spawn!!! NAT traversal via IPsec
> pass-thru[sic] is just plain wrong, broken, and lots of other words
> that I don't want to use in mixed company.
>
NAT translates all protocols in a transparent manner using some protocol
parameters, Eg. ports in case of UDP and TCP. I don't see why we should
not try and apply a similar model to IPsec, using cookies and SPIs.
Sure the SPIs are encrypted during IKE negotiation and the NAT box cannot
see which SPIs are a pair. But if we somehow relate one SPI to another in
each pair, the NAT box can translate ESP traffic with a high probability
of success.
Well, it's not pretty, but that is the inherent nature of NAT itself.
chinna