[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: <sommerfeld@east.sun.com>, "'ipsec mailling list'" <ipsec@lists.tislabs.com>
Subject: RE: NAT Traversal
From: "Henrik Levkowetz" <henrik@ipunplugged.com>
Date: Tue, 5 Mar 2002 19:09:26 +0100
Importance: Normal
In-Reply-To: <200203042311.g24NBFUZ011503@ack.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

Bill Sommerfeld wrote:
 > 
 > > I am suggesting that the original concept of IPsec SA being identified by
 > > a tuple: destination IP, protocol, SPI be required, and within the SPI add
 > > new semantics for picking a SPI on the phase2 responder.
 > 
 > I strongly object.
 > 
 > UDP encapsulation works JUST FINE to get through NATs which aren't
 > trying to be too clever (and it appears that there are other
 > workarounds to deal with overly-clever NATs).

I agree. By handling NATs through UDP encapsulation, you will get
through most if not all NATs. And if the cost can be kept down to
only the addition of 8 or 16 bytes, would that be too much?

	Henrik

 > 
 > There's no need to introduce potential vulnerabilities/points of
 > collision/etc. elsewhere in the system.
 > 
 > 						- Bill
 >

References:
- Re: NAT Traversal
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: NAT Traversal
Next by Date: Classification engine and IPSEC
Prev by thread: RE: NAT Traversal
Next by thread: RE: NAT Traversal
Index(es):
- Date
- Thread