[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft-ietf-ipsec-udp-encaps-06 comments.
Hi all,
I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been
overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the
procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the
first point (point (a)) but think the second point (point (b)) is totally wrong and should never be
implemented as such: it is suggested that if we dont have the original source or destination ip
addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header.
This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling"
or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to
deal with this would be to go with checksum update when you have the information and no checksum
at all if you dont have the information.
Any comments ?
Thanks,
Regards,
Jean-Francois Dive
--
-> Jean-Francois Dive
--> jef@linuxbe.org
There is no such thing as randomness. Only order of infinite
complexity. - Marquis de LaPlace - deterministic Principles -