Re: Thomas Narten's DISCUSS vote

Pyda Srisuresh <suresh@livingston.com> Thu, 28 May 1998 23:56 UTC

Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id TAA00999 for ipsec-outgoing; Thu, 28 May 1998 19:56:49 -0400 (EDT)
From: Pyda Srisuresh <suresh@livingston.com>
Message-Id: <199805290011.RAA23145@server.livingston.com>
Subject: Re: Thomas Narten's DISCUSS vote
To: kompella@us.ibm.com
Date: Thu, 28 May 1998 17:16:12 -0700
Cc: ipsec@tis.com, gab@Eng.Sun.Com
In-Reply-To: <5040200015408410000002L002*@MHS> from "Vach Kompella" at May 26, 98 09:22:23 am
Content-Type: text
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

Gabriel is right about NULL-ESP not impacting NAT packets in tunnel 
mode ESP. This is because, the original packet (say, with net 10 src
address) would have been subject to NAT translation already prior to 
being tunneled. If it wasnt NAT translated, then it is not a NAT packet.

Secondly, as Vipul and Thomas Narten pointed out earlier, NULL_ESP in 
transport mode wont provide IPsec service for TCP/UDP NAT packets. But, 
NULL_ESP in transport mode does provide IPsec service for non-TCP/UDP 
pkts(ex: ICMP). I.e., protocols that do not indirectly embed IP address 
integrity within their header/payload can be NAT translated with 
NULL-ESP.

cheers,
suresh

> 
> But you are trying to NAT the inner IP header.  The outer IP header's src IP
> address is the Security Gateway's IP address.  That is an externally valid IP
> address (otherwise it won't fly in the Internet).  The address you need to NAT
> is the src IP address in the inner IP header that belongs to some host inside
> the enterprise that has the illegal/net-10 address.
> 
> Vach Kompella
> IBM Corp.
> 
> 
> 
> owner-ipsec@ex.tis.com on 05/24/98 07:17:43 AM
> Please respond to gab@Eng.Sun.Com
> To: ipsec@tis.com
> cc:
> Subject: Re: Thomas Narten's DISCUSS vote
> 
> 
> 
> "Vipul Gupta" <vgupta@nobel.eng.sun.com> wrote:
> 
> >Date: Fri, 22 May 1998 14:42:38 -0700 (PDT)
> >
> >  I think Tom's comment is valid. Even when used with NULL encryption,
> >  ESP's integrity check will include the TCP/UDP header and,
> 
> Only assuming transport mode ESP. Tunnel mode ESP should work
> fine.
> 
> Perhaps this should be mentioned explicitly in the ESP_NULL draft:
> 
> 
> >> >>    The IPsec Authentication Header [AH] specification provides a similar
> >> >>    service, by computing authentication data which covers the data
> >> >>    portion of a packet as well as the immutable in transit portions of
> >> >>    the IP header.  ESP_NULL does not include the IP header in
> >> >>    calculating the authentication data.  This can be useful in providing
> >> >>    IPsec services through Network Address Translation (NAT) devices and
> >> >>    non-IP network devices.
>          ^^^^^^^^^^^^^^^^^^^^^^^, particularly if using tunnel mode.
> 
> >> >>   The discussion on how ESP_NULL might be
> >> >>    used with NAT and non-IP network devices is outside the scope of this
> >> >>    document.
> >> >
> 
> 
> -gabriel
> 
> 
> 
> 
>