Re: draft-ietf-ipsec-udp-encaps-06 comments.
Jean-Francois Dive <jef@linuxbe.org> Wed, 11 June 2003 16:03 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15354 for <ipsec-archive@lists.ietf.org>; Wed, 11 Jun 2003 12:03:23 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA08595 Wed, 11 Jun 2003 10:21:03 -0400 (EDT)
Date: Wed, 11 Jun 2003 16:25:38 +0200
From: Jean-Francois Dive <jef@linuxbe.org>
To: Ari Huttunen <Ari.Huttunen@f-secure.com>
Cc: Jean-Francois Dive <jef@linuxbe.org>, ipsec@lists.tislabs.com
Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments.
Message-ID: <20030611142538.GE1043@gardafou.assamite.eu.org>
References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3EE72FB1.1040507@f-secure.com>
User-Agent: Mutt/1.5.3i
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote: > Jean-Francois Dive wrote: > >Hi all, > > > >I am actually busy with implementing NAT-T in IKEv1 context and found > >something which may have been > >overlooked (or that i missed the discussion on this list). In section > >3.1.2, the author talk about the > >procedure to follow for udp encpasulated transport mode NAT decapsulation. > >I totally agress with the first point (point (a)) but think the second > >point (point (b)) is totally wrong and should never be implemented as > >such: it is suggested that if we dont have the original source or > >destination ip addresses, the TCP/UDP checksum of the packet should be > >recomputed to match the NAT'ed ip pseudo header. This cant happen as it > >would make corrupted packets appears as proper packets, the checksum > >"mangling" > >or update beeing right as a wrong checksum at the start would remain > >wrong. The only proper way to deal with this would be to go with checksum > >update when you have the information and no checksum at all if you dont > >have the information. > >Any comments ? > > You wouldn't use ESP without authentication, would you? In transport > mode there's no chance that the packet contents accidentally changed > if the packet is authenticated. It wouldn't pass authentication checking. consider the following: - packet is xmt'ed from a station. - hope trough a dodgy router which corrupt it. - Go trough the the ipsec gateway, get UDPinESP'ed. - Go trough a NAT gateway. - Arrive in the ipsec gateway, the issue raise, the authenticated content never changed on the path. > > Ari > > -- > I play it cool and dig all jive, > that's the reason I stay alive. > My motto as I live and learn, > is dig and be dug in return. <Langston Hughes> > > Ari Huttunen phone: +358 9 2520 0700 > Software Architect fax : +358 9 2520 5001 > > F-Secure Corporation http://www.F-Secure.com > > F(ully)-Secure products: Securing the Mobile Enterprise -- -> Jean-Francois Dive --> jef@linuxbe.org There is no such thing as randomness. Only order of infinite complexity. - Marquis de LaPlace - deterministic Principles -
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Ari Huttunen
- draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
- Re: draft-ietf-ipsec-udp-encaps-06 comments. Joshua Graessley