[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal

To: Tero Kivinen <kivinen@ssh.fi>
Subject: Re: NAT Traversal
From: Henry Spencer <henry@spsystems.net>
Date: Fri, 1 Mar 2002 20:06:59 -0500 (EST)
cc: ipsec@lists.tislabs.com
In-Reply-To: <15487.35607.13211.15952@ryijy.hel.fi.ssh.com>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 1 Mar 2002, Tero Kivinen wrote:
> > There is no such thing as a (standard conforming) TCP/UDP stack which does
> > not care about checksums...
> 
> Note, that we are talking about packets which are already verified
> using the MAC of the ESP payload.

That verifies that they have not been damaged between the time they were
encrypted and the time they were decrypted.  That is *NOT* a substitute
for the end-to-end check provided by the checksums.  The encryption and
decryption points are not necessarily the ends.

(Bad enough that you have to somehow indicate to the final destination
that it shouldn't bother with the checksum... but how do you catch damage
done while the packet was in transit from the original sender to the
encryption point?)

It is very, very, very important that the checksums are END TO END checks,
computed by the original sender and checked by the final destination.

                                                          Henry Spencer
                                                       henry@spsystems.net

References:
- Re: NAT Traversal
  - From: Tero Kivinen <kivinen@ssh.fi>

Prev by Date: RE: NAT support and laws for the lawless
Next by Date: RE: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread