[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-udp-encaps-06 comments.

To: Jean-Francois Dive <jef@linuxbe.org>
Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments.
From: Joshua Graessley <jgraessley@apple.com>
Date: Wed, 11 Jun 2003 09:16:20 -0700
Cc: Ari Huttunen <Ari.Huttunen@f-secure.com>, ipsec@lists.tislabs.com
In-Reply-To: <20030611142538.GE1043@gardafou.assamite.eu.org>
References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com> <20030611142538.GE1043@gardafou.assamite.eu.org>
Sender: owner-ipsec@lists.tislabs.com


On Wednesday, June 11, 2003, at 7:25, Jean-Francois Dive wrote:

> On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote:
>> Jean-Francois Dive wrote:
>>> Hi all,
>>>
>>> I am actually busy with implementing NAT-T in IKEv1 context and found
>>> something which may have been
>>> overlooked (or that i missed the discussion on this list). In section
>>> 3.1.2, the author talk about the
>>> procedure to follow for udp encpasulated transport mode NAT 
>>> decapsulation.
>>> I totally agress with the first point (point (a)) but think the 
>>> second
>>> point (point (b)) is totally wrong and should never be implemented as
>>> such: it is suggested that if we dont have the original source or
>>> destination ip addresses, the TCP/UDP checksum of the packet should 
>>> be
>>> recomputed to match the NAT'ed ip pseudo header. This cant happen as 
>>> it
>>> would make corrupted packets appears as proper packets, the checksum
>>> "mangling"
>>> or update beeing right as a wrong checksum at the start would remain
>>> wrong. The only proper way to deal with this would be to go with 
>>> checksum
>>> update when you have the information and no checksum at all if you 
>>> dont
>>> have the information.
>>> Any comments ?
>>
>> You wouldn't use ESP without authentication, would you? In transport
>> mode there's no chance that the packet contents accidentally changed
>> if the packet is authenticated. It wouldn't pass authentication 
>> checking.
>
> consider the following:
> - packet is xmt'ed from a station.
> - hope trough a dodgy router which corrupt it.
> - Go trough the the ipsec gateway, get UDPinESP'ed.
> - Go trough a NAT gateway.
> - Arrive in the ipsec gateway, the issue raise, the authenticated
>   content never changed on the path.

Is transport mode commonly implemented in an IPSec gateway? Would such 
a gateway be configured behind a NAT a hop away from the host that 
originated the traffic? This seems like a very unlikely scenario that 
would lead to other complications. Is anyone actually implementing an 
ipsec gateway with NAT traversal?

This can still be addressed in the gateway, the ipsec gateway could 
simply verify the checksum before it performs the ESP encapsulation. 
There's no point in wasting all the CPU power of encrypting the packet 
if the packet will just get dropped on the end.

-josh

References:
- draft-ietf-ipsec-udp-encaps-06 comments.
  - From: Jean-Francois Dive <jef@linuxbe.org>
- Re: draft-ietf-ipsec-udp-encaps-06 comments.
  - From: Ari Huttunen <Ari.Huttunen@f-secure.com>
- Re: draft-ietf-ipsec-udp-encaps-06 comments.
  - From: Jean-Francois Dive <jef@linuxbe.org>

Prev by Date: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms
Next by Date: RE: Editorial: Use of MAY in draft-ietf-ipsec-ikev2-algorithms
Prev by thread: Re: draft-ietf-ipsec-udp-encaps-06 comments.
Next by thread: LAST CALL: IKE Crypto documents I-D's
Index(es):
- Date
- Thread