Re: Another NAT Traversal question

[Francis Dupont <Francis.Dupont@enst-bretagne.fr>]

 In your previous mail you wrote:

   >    I don't think you need to do what you have explained.
   > 
   > => I need it if I consider the transport layer is independent.
   
   Transport layer is not independent of IP layer.

=> it is a wording concern. What I tried to mean is that the
transport layer and the network layer are two different layers.

   The pseudo-header in
   transport layer checksum contains IP header information. 
   
   >    If you want, test the checksum before you authenticate/decrypt the
   >    packet.
   > 
   > => how? the checksum is ciphered.
   
   Checksum of the UDP header! If you check the checksum of the UDP header,
   and authenticate the packet, how in the world can you have errors or
   wrong checksum in the encapsulated part of the packet (I mean apart from
   the wrong IP address)? Please explain!
   
=> for instance in the hardware which manages IPsec and the main memory.
There is a lot of stuff about this in the archive because the discussion
about "why the transport checksum is mandatory even we use links with
stronger error detection, ..." is very recurrent (just a bit less
than "why IPv6 has no header checksum").

BTW I propose to move the object of this discussion to Tero's NAT
traversal I-D (draft-ietf-ipsec-nat-t-ike-05.txt) which seems to
be already implemented and used.

Regards

Francis.Dupont@enst-bretagne.fr

PS: I didn't follow the iSCSI list but I'll be surprised if there is
nothing about "remove the transport checksum because ..." in its archive.