[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSec NAT pass-through and TCP checksums

To: "'Bora Akyol'" <bora@cisco.com>, ipsec@lists.tislabs.com
Subject: RE: IPSec NAT pass-through and TCP checksums
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Fri, 20 Sep 2002 09:52:14 -0700
Sender: owner-ipsec@lists.tislabs.com


> >From the statements in the relevant sections of the ID, it seems that
> this is in fact correct. I am wondering however, why not simply add a
> NAT-NA (NAT Address) payload (optionally) sent by the public side
> device, which has this address, to the other party involved in
> the IKE exchange so that a simple recomputation should suffice. Of
> course if both sides are behind NAT gws then all bets are off.

This occurred to me, actually I think we can even sort out the
double NAT case.

The initiator sends as part of the key agreement a statement of
1) What it believes its source IP address to be
2) What it believes the destination IP address to be

This can then be stored with the SA and used to fix up the packets.


> I may be opening up an old wound here unknowingly, and my apologies
> for that in advance.

Patent troll perhaps???

When in the distant past there were discussions of NAT the frequent
pushback was 'if you are NAT on the NET you are NOT on the NET'. So 
I would not take a great deal of notice of the old wounds.

The WG now understands that NATs exist and are not going away and so
we all have to work out how we can live with them (translation I have
a NAT box at home and I want my VPN to work through it)...


		Phill

Prev by Date: I-D ACTION:draft-ietf-ipsec-ciph-aes-ctr-01.txt
Next by Date: RE: IPSec NAT pass-through and TCP checksums
Prev by thread: I-D ACTION:draft-ietf-ipsec-ciph-aes-ctr-01.txt
Next by thread: RE: IPSec NAT pass-through and TCP checksums
Index(es):
- Date
- Thread