[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal



Stephen Kent writes:
> >For those cases I think it is ok for an implementation to mark the
> >packet after decryption and MAC verification that it had correct
> >tcp/udp checksum so that the operating system stack can then notice
> >that ok, I should not do checksum checks for this packet, as something
> >inside my system already claimed that it is ok.
> We would need some standard means of signalling this across a network 
> if the IPsec implementation is in an SG, vs. in the same host. That 
> strikes me as problematic.

I don't think there must be any protocol signalling it across
networks, I think we can only allow this kind of thing if it is
happening inside one machine.

I.e if the IPsec knows that this packet is going to end to this
machines local IP stack, it can put flag up, saying I don't care about
checksum I already verified the auth header. Also quite often the OS
will also know that there is one more checksum inside the packet (i.e
more tunneling protocols inside the UDP/TCP packets), thus this is not
actually end to end case merely decapsulation.

I think this checksum calculation discussion is not very usefull. The
current NAT-T draft makes it possible for you to recalculate the
checksum incrementatally, or completely, and that is the normal way.
In some exceptional cases where you know that the checksum is not used
at all anyways, you can simply put flag on in the MBUF chain saying
that I already "verified" the checksum, ignore it. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/