[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] big IKE packets



Yoav Nir writes:
> To quite a large extent.  If that equipment worked correctly, it would 
> be able to work with fragments, and we could do with UDP and ESP, no 
> need for NAT-T.

Not really. ESP cannot never go through the NATs without the NAT's
doing some guesswork, or without the IPsec to telling the NAT the SPI
mapping it is using. I.e. NAT will not know which inbound SPI matches
what outbound SPI, and it cannot forward packets to the correct
recipient.

NAT-T does this by giving the information to the NAT boxes in the form
of UDP port numbers.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec