[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another NAT Traversal question



 In your previous mail you wrote:

   >  In your previous mail you wrote:
   > 
   >    The checksum is being fixed according to the new IP addresses in
   the IP
   >    header and therefore you don't need the original IP address.
   > 
   > => so you give up the transport checksum ?
   
   I am not sure I understand what you mean. My explanation is based on the
   draft. 
   
=> my concern is that I believe the way you fix the checksum will give
a correct checksum from a wrong one, i.e., you loose the detection
of errors which is the purpose of the checksum.
IMHO the checksum must be fixed using the original and new IP addresses,
i.e., you add the original addresses and substract the new addresses
in an one-complement arithmetic (the checksum is the opposite of the
sum of the pseudo-header and the transport message in one-complement.
At the exception of UDP/IPv4, zero is normalized, i.e., +0 is used.
What I propose is a direct application of RFC 1624 which requires
the original addresses).

Regards

Francis.Dupont@enst-bretagne.fr

PS (for the list): should we be more accurate in IKEv2 draft?
Current text in draft-ietf-ipsec-nat-t-ike-05.txt is:

The original source and destination addresses are used in
transport mode to incrementally update the TCP/IP checksums so that they
will match after the NAT transform (The NAT cannot do this, because the
TCP/IP checksum is inside the UDP encapsulated IPsec packet).

(BTW this text is fine for me, the issue is that it is not in both drafts).