Re: NAT Traversal

[Stephen Kent <kent@bbn.com>]

At 4:07 PM +0200 3/1/02, Tero Kivinen wrote:
>Henry Spencer writes:
>>  On Thu, 28 Feb 2002, Tero Kivinen wrote:
>>  > Implementations own local policy. If the implementation knows for sure
>>  > that it's TCP/UDP stack does not care about checksums, it can simply
>>  > zero them.
>>  There is no such thing as a (standard conforming) TCP/UDP stack which does
>>  not care about checksums.  Checking checksums is mandatory; discarding
>
>Note, that we are talking about packets which are already verified
>using the MAC of the ESP payload. We are not talking about the random
>packets received from the network. Also for those packets we know that
>the UDP and TCP checksums are incorrect because we know that some NAT
>device between has changed the ip-addresses and it could not fix the
>checksums because the checksum was encrypted.
>
>For those cases I think it is ok for an implementation to mark the
>packet after decryption and MAC verification that it had correct
>tcp/udp checksum so that the operating system stack can then notice
>that ok, I should not do checksum checks for this packet, as something
>inside my system already claimed that it is ok.

We would need some standard means of signalling this across a network 
if the IPsec implementation is in an SG, vs. in the same host. That 
strikes me as problematic.

Steve