RE: Another NAT Traversal question

["Jayant Shukla" <jshukla@trlokom.com>]

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
[mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Ari Huttunen
> >
> > I don't think you need to do what you have explained. Since you will
> > authenticate and decrypt the packet, it guarantees that you don't
have
> > any flipped bits in the body of the encapsulated data.
> 
> No, this guarantees only that the bits didn't flip while they
> were encrypted. If the bits were flipped before they entered
> the ESP tunnel, that's another question.
> 

So you are worried about the errors before the packet hits the
wire?!!!!!!!
Remember we are talking about the transport mode processing, so that
packet has not hit the wire yet.

What I gather from the RFC 760 is that the checksums were meant to
detect errors on the wire.

Quote from RFC 760
---
"Damage is handled by adding a checksum to each segment transmitted,
checking it at the receiver, and discarding damaged segments."
---

I laud your effort if you want to use the checksum to detect the errors
inside the device. BTW, do you also have a mechanism to detect errors
that may happen when the data is handed over by the application to the
TCP/IP stack? 

> Please don't anybody try to reinvent the wheel, unless you
> find the existing wheel is not round enough. :)
> 

Not unless someone has turned a wheel into a square peg.

Transport mode is supposed to be end-to-end (client to client), and
transport mode with NAT traversal is _not_ end-to-end secure. This
should be enough reason for the area directors to kill it.

Regards,
Jayant
www.trlokom.com