[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-udp-encaps-06 comments.

On Wednesday, June 11, 2003, at 7:25, Jean-Francois Dive wrote:

> On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote:
>> Jean-Francois Dive wrote:
>>> Hi all,
>>> I am actually busy with implementing NAT-T in IKEv1 context and found
>>> something which may have been
>>> overlooked (or that i missed the discussion on this list). In section
>>> 3.1.2, the author talk about the
>>> procedure to follow for udp encpasulated transport mode NAT 
>>> decapsulation.
>>> I totally agress with the first point (point (a)) but think the 
>>> second
>>> point (point (b)) is totally wrong and should never be implemented as
>>> such: it is suggested that if we dont have the original source or
>>> destination ip addresses, the TCP/UDP checksum of the packet should 
>>> be
>>> recomputed to match the NAT'ed ip pseudo header. This cant happen as 
>>> it
>>> would make corrupted packets appears as proper packets, the checksum
>>> "mangling"
>>> or update beeing right as a wrong checksum at the start would remain
>>> wrong. The only proper way to deal with this would be to go with 
>>> checksum
>>> update when you have the information and no checksum at all if you 
>>> dont
>>> have the information.
>>> Any comments ?
>> You wouldn't use ESP without authentication, would you? In transport
>> mode there's no chance that the packet contents accidentally changed
>> if the packet is authenticated. It wouldn't pass authentication 
>> checking.
> consider the following:
> - packet is xmt'ed from a station.
> - hope trough a dodgy router which corrupt it.
> - Go trough the the ipsec gateway, get UDPinESP'ed.
> - Go trough a NAT gateway.
> - Arrive in the ipsec gateway, the issue raise, the authenticated
>   content never changed on the path.

Is transport mode commonly implemented in an IPSec gateway? Would such 
a gateway be configured behind a NAT a hop away from the host that 
originated the traffic? This seems like a very unlikely scenario that 
would lead to other complications. Is anyone actually implementing an 
ipsec gateway with NAT traversal?

This can still be addressed in the gateway, the ipsec gateway could 
simply verify the checksum before it performs the ESP encapsulation. 
There's no point in wasting all the CPU power of encrypting the packet 
if the packet will just get dropped on the end.