Re: About UDP Encapsulation of IPsec Packets

[Ari Huttunen <Ari.Huttunen@f-secure.com>]

Jerry Yao wrote:
> 
> I read the IETF draft "UDP Encapsulation of IPsec Packets" and I have a question about it.
>     If I receive a packet from the communication peer who behind NAT, and the packet is Transport Mode ESP Encapsulation:
> 
>          -------------------------------------------------------------
>    IPv4  |orig IP hdr  | UDP | Non-| ESP |     |      |   ESP   | ESP|
>          |(any options)| Hdr | IKE | Hdr | TCP | Data | Trailer |Auth|
>          -------------------------------------------------------------
>                                          |<----- encrypted ---->|
>                                    |<------ authenticated ----->|
> 
>    Now I don't know the original IP address of the communication peer, How can I locate the corresponding sa to decrypt or authenticate the ESP packet?

RFC-2401:
> A security association is uniquely identified by a triple consisting
>    of a Security Parameter Index (SPI), an IP Destination Address, and a
>    security protocol (AH or ESP) identifier. 

Ari

-- 
"They that can give up essential liberty to obtain a little 
temporary safety deserve neither liberty nor safety." - Benjamin Franklin

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise