[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT Traversal
pcn@xxxxxxxxx ("Chinna N.R. Pellacuru") writes:
�(B> On 25 Feb 2002, Derek Atkins wrote:
�(B> > "Jayant Shukla" <jshukla@xxxxxxxxxxx> writes:
�(B> > >
�(B> > > What makes you think the client is involved? IPsec pass-thru implemented
�(B> > > in most low end NAT boxes is not complete RSIP as that would require
�(B> > > modifications to client and the gateway.
�(B> >
�(B> > See what I said before about demon-spawn!!! NAT traversal via IPsec
�(B> > pass-thru[sic] is just plain wrong, broken, and lots of other words
�(B> > that I don't want to use in mixed company.
�(B> NAT translates all protocols in a transparent manner using some protocol
�(B> parameters, Eg. ports in case of UDP and TCP. I don't see why we should
�(B> not try and apply a similar model to IPsec, using cookies and SPIs.
�(B>
�(B> Sure the SPIs are encrypted during IKE negotiation and the NAT box cannot
�(B> see which SPIs are a pair. But if we somehow relate one SPI to another in
�(B> each pair, the NAT box can translate ESP traffic with a high probability
�(B> of success.
�(B
�(BIndeed? I'd like to know how my ESP transport mode's TCP checksum is fixed
�(Bby the NAT box.
�(B
�(BNote: IPsec is other things than VPNs, too.
�(B
�(BOr, in tunnel mode, actually (*gasp*) more than one client behind large NAT
�(Baccessing (*gasp*) SAME security gateway!
�(B
�(BHigh probability of success my .. foot.
�(B
�(B> Well, it's not pretty, but that is the inherent nature of NAT itself.
�(B
�(BIt's far from pretty.
�(B
�(BIt seems that using some obscure port, or having disclaimer about 'This is
�(Bcopyright protected material, if you try to reverse-engineer this ROT-0
�(Bencrypted packet you will be sued to hell' are the only two ways to deal
�(Bwith it.
�(B
�(BI'm starting to agree with Derek about what should be done with NATs..
�(B
�(B> chinna
�(B
�(B-Markus
�(B
�(B--
�(BMarkus Stenberg <stenberg@xxxxxxx> of SSH Communications Security (www.ssh.com)
�(BSSH �$B0O8k@x@8�(B