[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: About UDP Encapsulation of IPsec Packets
Jerry Yao wrote:
>
> I read the IETF draft "UDP Encapsulation of IPsec Packets" and I have a question about it.
> If I receive a packet from the communication peer who behind NAT, and the packet is Transport Mode ESP Encapsulation:
>
> -------------------------------------------------------------
> IPv4 |orig IP hdr | UDP | Non-| ESP | | | ESP | ESP|
> |(any options)| Hdr | IKE | Hdr | TCP | Data | Trailer |Auth|
> -------------------------------------------------------------
> |<----- encrypted ---->|
> |<------ authenticated ----->|
>
> Now I don't know the original IP address of the communication peer, How can I locate the corresponding sa to decrypt or authenticate the ESP packet?
RFC-2401:
> A security association is uniquely identified by a triple consisting
> of a Security Parameter Index (SPI), an IP Destination Address, and a
> security protocol (AH or ESP) identifier.
Ari
--
"They that can give up essential liberty to obtain a little
temporary safety deserve neither liberty nor safety." - Benjamin Franklin
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise