[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: doubt on draft-ietf-ipsec-nat-t-ike-01.txt

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Re: doubt on draft-ietf-ipsec-nat-t-ike-01.txt
From: Markus Stenberg <mstenber@xxxxxxx>
Date: 12 Feb 2002 17:50:29 +0200
Organization: SSH Communications Security
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Academic Rigor)

lokeshnb@xxxxxxxxxxxxx ("Lokesh") writes:
(B > Hi All,
(B
(BHi.
(B
(B > Following is a doubt regrading ID draft-ietf-ipsec-nat-t-ike-01
(B > It proposes, that sending party should calculate NAT-D paylods for
(B > both Destination and source(its own) IP address and port pairs.
(B > that is HASH = HASH( CKY-I | CKY-R | IP | Port)
(B > So in Normal case,(host is not multihomed) there  will be
(B >  two NAT-D  payloads.
(B > I want to know why it is proposed to send 2 NAT-D payloads?
(B > For me , it looks that, there is not need for First NAT-D payload
(B > which is Hash on Destination IP and port.
(B > because Destination IP and Ports are not going to change in NAT,
(B[*]
(B > only Source ip and source ports are changed. sending party can send only
(B > Second NAT-D payload (HASH on its own IP and src port) , and receiving
(B > can determine occurance of NAT as follows.  take src ip and src port
(B > selectors from incoming packet, prepare HASH on them and compare with
(B > HASH or NAT-D payload sent by other peer. If match is ok, there is no
(B > NAT, if it fails, there is a NAT.
(B > 
(B > Is that Ok? or Am I   missing some point here? if so correct me please.
(B
(B[*] Oh? Is there a guarantee about this somewhere?
(B
(BConsider this:
(B
(B  initiator ---> contacts 1.2.3.4 ---> static nat ---> responder (2.3.4.5)
(B
(BObviously, the responder is behind the NAT, and not the initiator.  It
(Bshould be possible to run IPsec regardless given the payloads specified in
(Bthe draft, but not with changes you specify.
(B
(BAlso, in normal NAT case, with your changes, the other side would NOT know
(Babout the NAT; obviously, when the responder sends his src address, it
(Bstays the same to the initiator (as nobody alters it) and initiator
(Bwouldn't know of presence of a NAT device, unless responder sent something
(Belse than just normal address as response (like the `DECISION' payload in
(Bmy older draft).
(B
(B > Thanks
(B > -Lokesh
(B
(B-Markus
(B
(B-- 
(BMarkus Stenberg <stenberg@xxxxxxx> of SSH Communications Security (www.ssh.com)
(BSSH $B0O8k@x@8(B

References:
- doubt on draft-ietf-ipsec-nat-t-ike-01.txt
  - From: Lokesh

Prev by Date: Re: doubt on draft-ietf-ipsec-nat-t-ike-01.txt
Next by Date: RE: RESEND: Thoughts on identity attacks
Previous by thread: Re: doubt on draft-ietf-ipsec-nat-t-ike-01.txt
Next by thread: Block Mode?
Index(es):
- Date
- Thread