draft-ietf-ipsec-udp-encaps-06 comments.

[Jean-Francois Dive <jef@linuxbe.org>]

Hi all,

I am actually busy with implementing NAT-T in IKEv1 context and found something which may have been
overlooked (or that i missed the discussion on this list). In section 3.1.2, the author talk about the
procedure to follow for udp encpasulated transport mode NAT decapsulation. I totally agress with the 
first point (point (a)) but think the second point (point (b)) is totally wrong and should never be 
implemented as such: it is suggested that if we dont have the original source or destination ip 
addresses, the TCP/UDP checksum of the packet should be recomputed to match the NAT'ed ip pseudo header. 
This cant happen as it would make corrupted packets appears as proper packets, the checksum "mangling"
or update beeing right as a wrong checksum at the start would remain wrong. The only proper way to 
deal with this would be to go with checksum update when you have the information and no checksum 
at all if you dont have the information. 

Any comments ?

Thanks,

Regards,

Jean-Francois Dive

-- 

-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity. - Marquis de LaPlace - deterministic Principles -