Re: Another NAT Traversal question

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   I'm worried about UDP/TCP checksums.
   ...
   
   What seems to be a problem is Transport mode.
   I thought I remembered some sort of payload
   type that would say "my IP address as I
   sent it is XXX", so that the receiving ESP

=> this is the NAT-OA (NAT Original Address) of
draft-ietf-ipsec-nat-t-ike-05.txt.

   could adjust the TCP checksum appropriately
   once it decrypts the packet. However, I
   don't see that in the current IKEv2 spec.

=> yes, someone forgot this...

   Instead I see this NAT-DETECTION-SOURCE-IP payload,

=> NAT-D (NAT discovery) from the same draft.

   but that's a hash of the IP address, not
   the actual address. Now I suppose with only
   32 bits of address, the receiver could calculate
   the actual address on the other side, but that
   seems needlessly computationally expensive.
   
=> this is why I proposed to replace the hash by the full
address. In fact, the hash is useful only when the peer
wants to keep its address secret.

   So...have we given up on Transport mode (would
   be fine with me),

=> NO, Transport mode is still very important.

   or does this really work somehow and I don't understand it?
   
=> it doesn't work yet.

Thanks

Francis.Dupont@enst-bretagne.fr