[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT Traversal and packet reassemble





On Tue, 7 May 2002, michael lin wrote:

> Hi,
> 
> To support IPSec fragment packets, the only thing, VPN gateway should do, is
> to reassemble AH and ESP packets. In NAT Traversal, all IPSec packets are
> encapsulated by UDP header (port 500 or 4500). For first fragment, VPN
> gateway can only keep the packet with UDP port 500 and non-IKE marker. 

SRINI> Now it is non-ESP marker, according to the new draft.

But
> for the second fragment, there is no UDP header. There is no way to know
> this fragment is UDP encapsulated IPSec packet or other UDP packets. That
> means VPN gateway should try to reassemble all UDP packets. This will affect
> VPN gateway throughput. 
> 
> It seems no way to solve this problem, right?

SRINI> Reassembly is needed for this. Anycase, to support port based
SPD, reassembly is anyway required. Also, extra header should be taken
into consideration for PMTU ( if supported). 
> 
> Michael
> 

-- 
Srinivasa Rao Addepalli
Intoto Inc. (Enabling Security Infrastructure)
3160, De La Cruz Blvd #100
Santa Clara, CA
USA