[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Another NAT Traversal question

To: <Charlie_Kaufman@notesdev.ibm.com>
Subject: RE: Another NAT Traversal question
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Sat, 1 Mar 2003 22:14:12 -0800
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <OF0BF27E2E.5383D34B-ON85256CDC.00137315-85256CDC.0016FDD5@notesdev.ibm.com>
Sender: owner-ipsec@lists.tislabs.com



> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Charlie_Kaufman@notesdev.ibm.com
>
> My vote would be to just say no to using transport through NATs,

I agree!

> But looking at it again here, I don't think this works. If the TCP
> checksum
> is computed based on the addresses the sender of the packet sees, then
> packets going from the node with real addresses destined for the node
with
> NATed addresses will have a TCP checksum computed based on the source
> address of the node with the real address and the destination address
of

You are correct and transport mode NAT traversal only works with L2TP or
if there is only one host behind the destination NAT. Another reason to
kill it because it is not a general solution.

> the IPsec gateway. To adjust the checksum, the receiver would have to
know
> the address of the NAT box, but I believe that as currently specified
in
> both IKEv2 and NAT Traversal for IKEv1, the NATed node does not know
the
> IP
> address of the NAT box. How does this work in deployed systems?? We
could
> add more fields, but I have an alternate proposal:
> 
> The traffic selectors have to contain the IP addresses of each node as
> known to the node itself. What if we said that if you use NATed
transport
> mode, you have to compute and verify the TCP checksums using the
addresses
> in the traffic selectors. That way the NAT-OA payload is not needed
and
> the
> above problem is solved.
> 

Good suggestion! Now you are moving in the direction of our method. :-)
Regarding how it works in deployed systems! A more general version of
your proposal is in our product and there are tens of thousands users
using it in all kinds of situations. 

You will realize that using the IP address of the node as known to node
itself is not good either as there may be IP address conflict between
road warriors. Take a look at the free version of our product to see how
we have solved the problem. 

Anyway, we have addressed all possible deployment scenarios except for
mobile IP. We are hard at work to address that. Unfortunately, there are
only 24 hrs in a day. :-)

IMHO, killing the current transport mode with NAT traversal is very
important. Especially if one is concerned about efficiency, security,
and QoS for applications like VoIP. There is no need for a solution that
is not covered by another solution and at the same time creates
obstacles in deployment of many important applications and a better
solution.

Regards,
Jayant
www.trlokom.com

References:
- Re: Another NAT Traversal question
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: RE: suites vs. a la carte and IPcomp in IKEv2-05
Next by Date: RE: CP(CFG_REQUEST) required?
Prev by thread: Re: Another NAT Traversal question
Next by thread: Re: Another NAT Traversal question
Index(es):
- Date
- Thread