[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec NAT pass-through: how the server distinguish different clients?

To: ipsec@lists.tislabs.com
Subject: RE: IPSec NAT pass-through: how the server distinguish different clients?
From: Rajesh Patel <rajeshmpatel@yahoo.com>
Date: Tue, 17 Sep 2002 18:44:13 -0700 (PDT)
Sender: owner-ipsec@lists.tislabs.com

In a separate thread William Dixon wrote - 

> NAT-Traversal - We are almost done.  It's more than 1 1/2 years after
> the Feb '01 drafts for UDP encapsulation, and the significant
revision
> of draft-02 Feb '02 to use a non-500 UDP port due to IPsec aware
NATs.
> These drafts are in last call WG, and should solve the remaining
> technical blocker for transition from PPTP to L2TP/IPsec for those
who
> want to use the Windows native VPN client.  The NAT-T drafts also
> provide the solution for IPsec tunnel mode VPN clients.  So all
> IPsec-based VPN usages are served.


I have been following the NAT Traversal draft
(draft-ietf-ipsec-udp-encaps-03.txt) for a while. The only reason to
consider this solution is to allow multiple clients behind a NAT to
connect to the same server using transport mode. However, I just don't
see it working in real life situations.

The biggest problem that I see is the conflict "traffic-desc" mentioned
in the draft (Section 5.3), where traffic-desc is the port/protocol
pair. If two machines happen to pick the same port/protocol, then this
solution does not work. For TCP, most TCP/IP implementations pick
source port starting from around 1025 (after skipping system ports). So
the chances of two machines picking up the same source port are very
high. The chances of destination port conflict are going to be very
high since these are going to be a few standard ports (such as HTTP,
telnet etc.). For UDP, it is even worse. Since many UDP applications
pick their own source port, this means that one can not use the same
UDP application on two different machines behind the same NAT.

To me there does not seem to be any advantage in using this approach
over IPSec pass-through. 

Why is IETF even considering standardizing this draft when the draft
itself mentions so many limitations that are so glaring and requires
modifications to IKE?

Raj

__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com

Follow-Ups:
- IPSec NAT pass-through and TCP checksums
  - From: Bora Akyol <bora@cisco.com>

Prev by Date: Re: Regarding pre-round trip for stateless cookie (Jan's issue)
Next by Date: Re: Regarding pre-round trip for stateless cookie (Jan's issue)
Prev by thread: RE: IPSec NAT pass-through: how the server distinguish different clients?
Next by thread: IPSec NAT pass-through and TCP checksums
Index(es):
- Date
- Thread