[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-udp-encaps-06 comments.

To: Jean-Francois Dive <jef@linuxbe.org>
Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments.
From: Jean-Francois Dive <jef@linuxbe.org>
Date: Wed, 11 Jun 2003 17:11:42 +0200
Cc: Ari Huttunen <Ari.Huttunen@f-secure.com>, ipsec@lists.tislabs.com
In-Reply-To: <20030611142538.GE1043@gardafou.assamite.eu.org>
References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com> <20030611142538.GE1043@gardafou.assamite.eu.org>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.5.3i

On Wed, Jun 11, 2003 at 04:25:38PM +0200, Jean-Francois Dive wrote:
> On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote:
> > Jean-Francois Dive wrote:
> > >Hi all,
> > >
> > >I am actually busy with implementing NAT-T in IKEv1 context and found 
> > >something which may have been
> > >overlooked (or that i missed the discussion on this list). In section 
> > >3.1.2, the author talk about the
> > >procedure to follow for udp encpasulated transport mode NAT decapsulation. 
> > >I totally agress with the first point (point (a)) but think the second 
> > >point (point (b)) is totally wrong and should never be implemented as 
> > >such: it is suggested that if we dont have the original source or 
> > >destination ip addresses, the TCP/UDP checksum of the packet should be 
> > >recomputed to match the NAT'ed ip pseudo header. This cant happen as it 
> > >would make corrupted packets appears as proper packets, the checksum 
> > >"mangling"
> > >or update beeing right as a wrong checksum at the start would remain 
> > >wrong. The only proper way to deal with this would be to go with checksum 
> > >update when you have the information and no checksum at all if you dont 
> > >have the information. 
> > >Any comments ?
> > 
> > You wouldn't use ESP without authentication, would you? In transport
> > mode there's no chance that the packet contents accidentally changed
> > if the packet is authenticated. It wouldn't pass authentication checking.
> 
> consider the following:
> - packet is xmt'ed from a station.
> - hope trough a dodgy router which corrupt it.
> - Go trough the the ipsec gateway, get UDPinESP'ed.
> - Go trough a NAT gateway.
> - Arrive in the ipsec gateway, the issue raise, the authenticated
>   content never changed on the path.

ok, something slept away from my mind when coding this thing, we are in
transport mode so this is hardly going to happen....

> 
> 
> > 
> > Ari
> > 
> > -- 
> > I play it cool and dig all jive,
> >  that's the reason I stay alive.
> >   My motto as I live and learn,
> >    is dig and be dug in return. <Langston Hughes>
> > 
> > Ari Huttunen                   phone: +358 9 2520 0700
> > Software Architect             fax  : +358 9 2520 5001
> > 
> > F-Secure Corporation       http://www.F-Secure.com
> > 
> > F(ully)-Secure products: Securing the Mobile Enterprise
>

References:
- draft-ietf-ipsec-udp-encaps-06 comments.
  - From: Jean-Francois Dive <jef@linuxbe.org>
- Re: draft-ietf-ipsec-udp-encaps-06 comments.
  - From: Ari Huttunen <Ari.Huttunen@f-secure.com>
- Re: draft-ietf-ipsec-udp-encaps-06 comments.
  - From: Jean-Francois Dive <jef@linuxbe.org>

Prev by Date: SHOULD NOT DES (was RE: Editorial: Use of MAY...)
Next by Date: Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...)
Prev by thread: Re: draft-ietf-ipsec-udp-encaps-06 comments.
Next by thread: Re: draft-ietf-ipsec-udp-encaps-06 comments.
Index(es):
- Date
- Thread