[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Another NAT Traversal question

To: "'Francis Dupont'" <Francis.Dupont@enst-bretagne.fr>
Subject: RE: Another NAT Traversal question
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Fri, 28 Feb 2003 08:59:50 -0800
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200302271032.h1RAWGof067116@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Francis Dupont
> 
> => my concern is that I believe the way you fix the checksum will give
> a correct checksum from a wrong one, i.e., you loose the detection
> of errors which is the purpose of the checksum.
> IMHO the checksum must be fixed using the original and new IP
addresses,
> i.e., you add the original addresses and substract the new addresses
> in an one-complement arithmetic (the checksum is the opposite of the
> sum of the pseudo-header and the transport message in one-complement.
> At the exception of UDP/IPv4, zero is normalized, i.e., +0 is used.
> What I propose is a direct application of RFC 1624 which requires
> the original addresses).
> 

I don't think you need to do what you have explained. Since you will
authenticate and decrypt the packet, it guarantees that you don't have
any flipped bits in the body of the encapsulated data.

If you want, test the checksum before you authenticate/decrypt the
packet.

Regards,
Jayant
www.trlokom.com

References:
- Re: Another NAT Traversal question
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ikev2-tutorial-00.txt
Next by Date: CREATE_CHILD_SA exchange in IKEv2-05
Prev by thread: Re: Another NAT Traversal question
Next by thread: Re: Another NAT Traversal question
Index(es):
- Date
- Thread