[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-udp-encaps-06 comments.

Jean-Francois Dive wrote:
> Hi all,
> I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been
> overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the
> procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the 
> first point (point (a)) but think the second point (point (b)) is totally wrong and should never be 
> implemented as such: it is suggested that if we dont have the original source or destination ip 
> addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header. 
> This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling"
> or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to 
> deal with this would be to go with checksum update when you have the information and no checksum 
> at all if you dont have the information. 
> Any comments ?

You wouldn't use ESP without authentication, would you? In transport
mode there's no chance that the packet contents accidentally changed
if the packet is authenticated. It wouldn't pass authentication checking.


I play it cool and dig all jive,
  that's the reason I stay alive.
   My motto as I live and learn,
    is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise