[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Another NAT Traversal question

To: <ipsec@lists.tislabs.com>
Subject: Another NAT Traversal question
From: Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>
Date: Mon, 24 Feb 2003 23:37:22 -0500
Reply-To: <radia.perlman@sun.com>
Sender: owner-ipsec@lists.tislabs.com

I'm worried about UDP/TCP checksums.

In tunnel mode, it's not a problem, since
the inner IP header doesn't get modified
by the NAT.

In UDP-encapsulation, it's not a problem,
since the inner IP header doesn't get modified,
and the outer UDP header is unencrypted and
the NAT can fix the checksum.

What seems to be a problem is Transport mode.
I thought I remembered some sort of payload
type that would say "my IP address as I
sent it is XXX", so that the receiving ESP
could adjust the TCP checksum appropriately
once it decrypts the packet. However, I
don't see that in the current IKEv2 spec. Instead
I see this NAT-DETECTION-SOURCE-IP payload,
but that's a hash of the IP address, not
the actual address. Now I suppose with only
32 bits of address, the receiver could calculate
the actual address on the other side, but that
seems needlessly computationally expensive.

So...have we given up on Transport mode (would
be fine with me), or does this really work
somehow and I don't understand it?

Radia

Follow-Ups:
- Re: Another NAT Traversal question
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- RE: Another NAT Traversal question
  - From: "Jayant Shukla" <jshukla@trlokom.com>

Prev by Date: Some IKE/NAT questions
Next by Date: Re: Another NAT Traversal question
Prev by thread: Re: Some IKE/NAT questions
Next by thread: Re: Another NAT Traversal question
Index(es):
- Date
- Thread