[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-udp-encaps-06 comments.
On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote:
> Jean-Francois Dive wrote:
> >Hi all,
> >
> >I am actually busy with implementing NAT-T in IKEv1 context and found
> >something which may have been
> >overlooked (or that i missed the discussion on this list). In section
> >3.1.2, the author talk about the
> >procedure to follow for udp encpasulated transport mode NAT decapsulation.
> >I totally agress with the first point (point (a)) but think the second
> >point (point (b)) is totally wrong and should never be implemented as
> >such: it is suggested that if we dont have the original source or
> >destination ip addresses, the TCP/UDP checksum of the packet should be
> >recomputed to match the NAT'ed ip pseudo header. This cant happen as it
> >would make corrupted packets appears as proper packets, the checksum
> >"mangling"
> >or update beeing right as a wrong checksum at the start would remain
> >wrong. The only proper way to deal with this would be to go with checksum
> >update when you have the information and no checksum at all if you dont
> >have the information.
> >Any comments ?
>
> You wouldn't use ESP without authentication, would you? In transport
> mode there's no chance that the packet contents accidentally changed
> if the packet is authenticated. It wouldn't pass authentication checking.
consider the following:
- packet is xmt'ed from a station.
- hope trough a dodgy router which corrupt it.
- Go trough the the ipsec gateway, get UDPinESP'ed.
- Go trough a NAT gateway.
- Arrive in the ipsec gateway, the issue raise, the authenticated
content never changed on the path.
>
> Ari
>
> --
> I play it cool and dig all jive,
> that's the reason I stay alive.
> My motto as I live and learn,
> is dig and be dug in return. <Langston Hughes>
>
> Ari Huttunen phone: +358 9 2520 0700
> Software Architect fax : +358 9 2520 5001
>
> F-Secure Corporation http://www.F-Secure.com
>
> F(ully)-Secure products: Securing the Mobile Enterprise
--
-> Jean-Francois Dive
--> jef@linuxbe.org
There is no such thing as randomness. Only order of infinite
complexity. - Marquis de LaPlace - deterministic Principles -