[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-ipsec-udp-encaps-06 comments.
Jean-Francois Dive wrote:
I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been
overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the
procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the
first point (point (a)) but think the second point (point (b)) is totally wrong and should never be
implemented as such: it is suggested that if we dont have the original source or destination ip
addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header.
This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling"
or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to
deal with this would be to go with checksum update when you have the information and no checksum
at all if you dont have the information.
Any comments ?
You wouldn't use ESP without authentication, would you? In transport
mode there's no chance that the packet contents accidentally changed
if the packet is authenticated. It wouldn't pass authentication checking.
I play it cool and dig all jive,
that's the reason I stay alive.
My motto as I live and learn,
is dig and be dug in return. <Langston Hughes>
Ari Huttunen phone: +358 9 2520 0700
Software Architect fax : +358 9 2520 5001
F-Secure Corporation http://www.F-Secure.com
F(ully)-Secure products: Securing the Mobile Enterprise