[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-ipsec-udp-encaps-06 comments.

Jean-Francois Dive wrote:
Hi all,

I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been
overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the
procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the first point (point (a)) but think the second point (point (b)) is totally wrong and should never be implemented as such: it is suggested that if we dont have the original source or destination ip addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header. This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling"
or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to deal with this would be to go with checksum update when you have the information and no checksum at all if you dont have the information.

Any comments ?

You wouldn't use ESP without authentication, would you? In transport mode there's no chance that the packet contents accidentally changed if the packet is authenticated. It wouldn't pass authentication checking.


I play it cool and dig all jive,
 that's the reason I stay alive.
  My motto as I live and learn,
   is dig and be dug in return. <Langston Hughes>

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation http://www.F-Secure.com

F(ully)-Secure products: Securing the Mobile Enterprise