Re: Thomas Narten's DISCUSS vote
Vach Kompella <kompella@us.ibm.com> Tue, 26 May 1998 13:43 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id JAA15451 for ipsec-outgoing; Tue, 26 May 1998 09:43:46 -0400 (EDT)
From: Vach Kompella <kompella@us.ibm.com>
To: ipsec@tis.com, gab@Eng.Sun.Com
Subject: Re: Thomas Narten's DISCUSS vote
Message-ID: <5040200015408410000002L002*@MHS>
Date: Tue, 26 May 1998 09:22:23 -0400
MIME-Version: 1.0
Content-Type: text/plain
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
But you are trying to NAT the inner IP header. The outer IP header's src IP address is the Security Gateway's IP address. That is an externally valid IP address (otherwise it won't fly in the Internet). The address you need to NAT is the src IP address in the inner IP header that belongs to some host inside the enterprise that has the illegal/net-10 address. Vach Kompella IBM Corp. owner-ipsec@ex.tis.com on 05/24/98 07:17:43 AM Please respond to gab@Eng.Sun.Com To: ipsec@tis.com cc: Subject: Re: Thomas Narten's DISCUSS vote "Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote: >Date: Fri, 22 May 1998 14:42:38 -0700 (PDT) > > I think Tom's comment is valid. Even when used with NULL encryption, > ESP's integrity check will include the TCP/UDP header and, Only assuming transport mode ESP. Tunnel mode ESP should work fine. Perhaps this should be mentioned explicitly in the ESP_NULL draft: >> >> The IPsec Authentication Header [AH] specification provides a similar >> >> service, by computing authentication data which covers the data >> >> portion of a packet as well as the immutable in transit portions of >> >> the IP header. ESP_NULL does not include the IP header in >> >> calculating the authentication data. This can be useful in providing >> >> IPsec services through Network Address Translation (NAT) devices and >> >> non-IP network devices. ^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode. >> >> The discussion on how ESP_NULL might be >> >> used with NAT and non-IP network devices is outside the scope of this >> >> document. >> > -gabriel
- Re: Thomas Narten's DISCUSS vote Gabriel.Montenegro
- Thomas Narten's DISCUSS vote Theodore Y. Ts'o
- Re: Thomas Narten's DISCUSS vote Vipul Gupta
- Re: Thomas Narten's DISCUSS vote Gabriel.Montenegro
- Re: Thomas Narten's DISCUSS vote Vach Kompella
- Re: Thomas Narten's DISCUSS vote Steve Bellovin
- Re: Thomas Narten's DISCUSS vote Hilarie Orman
- Re: Thomas Narten's DISCUSS vote Thomas Narten
- RE: Thomas Narten's DISCUSS vote Stephen Waters
- Re: Thomas Narten's DISCUSS vote Pyda Srisuresh