[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: UDP-encapsulated IPsec Transport mode



> (1) The security gateway (SG) will insert entries into its filtering
> database based on the traffic selector (ID) specified by the client
> during the QM exchange.
>
> (2) After the SG decrypted and decapsulated an UDP-encapsulated IPsec
> packet in the transport mode (i.e. removing the outer UDP header and ESP
> header), it will modify the source IP address in the outer IP header
> using the address in the NAT-OA payload it received in the QM exchange.
>
> With this scheme, the packet after decapsulation will pass the security
> policy at the SG and the checksum in the inner UDP/TCP header no longer
> need to be re-computed by the SG as was described in section 3.1.2 in the
> draft.  Also it will solve the issue of multiple clients behind the same
> NAT box described in section 5.3.

So far, we at Trlokom have contented ourselves with pointing out the myriad
problems with the various versions of the existing draft.

However, the above proposal (specifically item #2 and all that it implies)
is so similar to what we have patented that we feel that we must raise the
IPR issue.  If this proposal or anything like it ends up in a future
version of the NAT traversal draft, it will violate our patents.  The same
goes for any implementation (independent of the draft) of the above
suggestion.

--
Sincerely,
John Lindal
Chief Software Architect, Trlokom, Inc.
http://www.trlokom.com/