Re: Another NAT Traversal question

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

Jayant Shukla wrote:
> 
>>-----Original Message-----
>>From: owner-ipsec@lists.tislabs.com
> 
> [mailto:owner-ipsec@lists.tislabs.com]
> 
>>On Behalf Of Francis Dupont
>>
>>=> my concern is that I believe the way you fix the checksum will give
>>a correct checksum from a wrong one, i.e., you loose the detection
>>of errors which is the purpose of the checksum.
>>IMHO the checksum must be fixed using the original and new IP
> 
> addresses,
> 
>>i.e., you add the original addresses and substract the new addresses
>>in an one-complement arithmetic (the checksum is the opposite of the
>>sum of the pseudo-header and the transport message in one-complement.
>>At the exception of UDP/IPv4, zero is normalized, i.e., +0 is used.
>>What I propose is a direct application of RFC 1624 which requires
>>the original addresses).
>>
> 
> 
> I don't think you need to do what you have explained. Since you will
> authenticate and decrypt the packet, it guarantees that you don't have
> any flipped bits in the body of the encapsulated data.

No, this guarantees only that the bits didn't flip while they
were encrypted. If the bits were flipped before they entered
the ESP tunnel, that's another question.

Please don't anybody try to reinvent the wheel, unless you
find the existing wheel is not round enough. :)

Ari

-- 
I play it cool and dig all jive,
  that's the reason I stay alive.
   My motto as I live and learn,
    is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise