[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec NAT pass-through and TCP checksums

To: ipsec@lists.tislabs.com
Subject: IPSec NAT pass-through and TCP checksums
From: Bora Akyol <bora@cisco.com>
Date: 19 Sep 2002 19:12:12 -0700
In-Reply-To: <20020918014413.42450.qmail@web13902.mail.yahoo.com>
References: <20020918014413.42450.qmail@web13902.mail.yahoo.com>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7


>From a review of the NAT-T and UDP encap IDs, 
it seems that the entity that is within the
private network (and behind the NAT gw) does not have access to the
public side IP address of the NAT gw.

This in turn causes the receiver of transport-udp mode traffic to
recompute the entire TCP checksum as opposed to an adjustment of it.

>From the statements in the relevant sections of the ID, it seems that
this is in fact correct. I am wondering however, why not simply add a
NAT-NA (NAT Address) payload (optionally) sent by the public side
device, which has this address, to the other party involved in
the IKE exchange so that a simple recomputation should suffice. Of
course if both sides are behind NAT gws then all bets are off.

I may be opening up an old wound here unknowingly, and my apologies
for that in advance.

Regards,

Bora Akyol

ps. I did try to search the list archives on this topic 
but neither of the two FTP sites are working tonight.

References:
- RE: IPSec NAT pass-through: how the server distinguish different clients?
  - From: Rajesh Patel <rajeshmpatel@yahoo.com>

Prev by Date: Re: Regarding pre-round trip for stateless cookie (Jan's issue)
Next by Date: I-D ACTION:draft-ietf-ipsec-ciph-aes-ctr-01.txt
Prev by thread: RE: IPSec NAT pass-through: how the server distinguish different clients?
Next by thread: RE: IPSec NAT pass-through: how the server distinguish different clients?
Index(es):
- Date
- Thread