RE: NAT Traversal

["Jayant Shukla" <jshukla@trlokom.com>]

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Bill Sommerfeld
> Sent: Monday, March 04, 2002 3:11 PM
> To: Chinna N.R. Pellacuru
> Cc: Stephen Kent; Srinivasa Addepalli; Jayant Shukla; 'Henrik
Levkowetz';
> 'ipsec mailling list'
> Subject: Re: NAT Traversal
> 
> > I am suggesting that the original concept of IPsec SA being
identified
> by
> > a tuple: destination IP, protocol, SPI be required, and within the
SPI
> add
> > new semantics for picking a SPI on the phase2 responder.
> 
> I strongly object.
> 

That's understandable. 

> UDP encapsulation works JUST FINE to get through NATs which aren't
> trying to be too clever (and it appears that there are other
> workarounds to deal with overly-clever NATs).
> 

UDP encapsulation does not work JUST FINE! This proposal has significant
problems and they have been discussed copiously. Please check earlier
e-mails of this thread.


> There's no need to introduce potential vulnerabilities/points of
> collision/etc. elsewhere in the system.
> 
> 						- Bill
> 

Sending all traffic through port 500 sounds like a BIG vulnerability to
me! A simple DoS attack on port 500 will kill all VPN traffic.  

Regards,
Jayant
www.trlokom.com