[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT Traversal and packet reassemble

To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: NAT Traversal and packet reassemble
From: michael lin <michaell@servgate.com>
Date: Tue, 7 May 2002 16:26:59 -0700
Sender: owner-ipsec@lists.tislabs.com

Hi,

To support IPSec fragment packets, the only thing, VPN gateway should do, is
to reassemble AH and ESP packets. In NAT Traversal, all IPSec packets are
encapsulated by UDP header (port 500 or 4500). For first fragment, VPN
gateway can only keep the packet with UDP port 500 and non-IKE marker. But
for the second fragment, there is no UDP header. There is no way to know
this fragment is UDP encapsulated IPSec packet or other UDP packets. That
means VPN gateway should try to reassemble all UDP packets. This will affect
VPN gateway throughput. 

It seems no way to solve this problem, right?

Michael

Follow-Ups:
- Re: NAT Traversal and packet reassemble
  - From: Srinivasa Addepalli <srao@intotoinc.com>

Prev by Date: RE: data origin authentication
Next by Date: New SOI features draft
Prev by thread: RE: data origin authentication
Next by thread: Re: NAT Traversal and packet reassemble
Index(es):
- Date
- Thread