Re: draft-ietf-ipsec-udp-encaps-06 comments.

Jean-Francois Dive <jef@linuxbe.org> Wed, 11 June 2003 16:03 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA15354 for <ipsec-archive@lists.ietf.org>; Wed, 11 Jun 2003 12:03:23 -0400 (EDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id KAA08595 Wed, 11 Jun 2003 10:21:03 -0400 (EDT)
Date: Wed, 11 Jun 2003 16:25:38 +0200
From: Jean-Francois Dive <jef@linuxbe.org>
To: Ari Huttunen <Ari.Huttunen@f-secure.com>
Cc: Jean-Francois Dive <jef@linuxbe.org>, ipsec@lists.tislabs.com
Subject: Re: draft-ietf-ipsec-udp-encaps-06 comments.
Message-ID: <20030611142538.GE1043@gardafou.assamite.eu.org>
References: <20030611113650.GD1043@gardafou.assamite.eu.org> <3EE72FB1.1040507@f-secure.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3EE72FB1.1040507@f-secure.com>
User-Agent: Mutt/1.5.3i
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

On Wed, Jun 11, 2003 at 04:33:37PM +0300, Ari Huttunen wrote:
> Jean-Francois Dive wrote:
> >Hi all,
> >
> >I am actually busy with implementing NAT-T in IKEv1 context and found 
> >something which may have been
> >overlooked (or that i missed the discussion on this list). In section 
> >3.1.2, the author talk about the
> >procedure to follow for udp encpasulated transport mode NAT decapsulation. 
> >I totally agress with the first point (point (a)) but think the second 
> >point (point (b)) is totally wrong and should never be implemented as 
> >such: it is suggested that if we dont have the original source or 
> >destination ip addresses, the TCP/UDP checksum of the packet should be 
> >recomputed to match the NAT'ed ip pseudo header. This cant happen as it 
> >would make corrupted packets appears as proper packets, the checksum 
> >"mangling"
> >or update beeing right as a wrong checksum at the start would remain 
> >wrong. The only proper way to deal with this would be to go with checksum 
> >update when you have the information and no checksum at all if you dont 
> >have the information. 
> >Any comments ?
> 
> You wouldn't use ESP without authentication, would you? In transport
> mode there's no chance that the packet contents accidentally changed
> if the packet is authenticated. It wouldn't pass authentication checking.

consider the following:
- packet is xmt'ed from a station.
- hope trough a dodgy router which corrupt it.
- Go trough the the ipsec gateway, get UDPinESP'ed.
- Go trough a NAT gateway.
- Arrive in the ipsec gateway, the issue raise, the authenticated
  content never changed on the path.


> 
> Ari
> 
> -- 
> I play it cool and dig all jive,
>  that's the reason I stay alive.
>   My motto as I live and learn,
>    is dig and be dug in return. <Langston Hughes>
> 
> Ari Huttunen                   phone: +358 9 2520 0700
> Software Architect             fax  : +358 9 2520 5001
> 
> F-Secure Corporation       http://www.F-Secure.com
> 
> F(ully)-Secure products: Securing the Mobile Enterprise

-- 

-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity. - Marquis de LaPlace - deterministic Principles -

Re: draft-ietf-ipsec-udp-encaps-06 comments. Ari Huttunen
draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
Re: draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
Re: draft-ietf-ipsec-udp-encaps-06 comments. Jean-Francois Dive
Re: draft-ietf-ipsec-udp-encaps-06 comments. Joshua Graessley