NAT Traversal and packet reassemble
michael lin <michaell@servgate.com> Wed, 08 May 2002 00:09 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g4809IL18075; Tue, 7 May 2002 17:09:19 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id TAA11677 Tue, 7 May 2002 19:13:47 -0400 (EDT)
Message-ID: <605C42246151B7498423278ED555306F04C049@skat.sky.com>
From: michael lin <michaell@servgate.com>
To: "'ipsec@lists.tislabs.com'" <ipsec@lists.tislabs.com>
Subject: NAT Traversal and packet reassemble
Date: Tue, 07 May 2002 16:26:59 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Hi, To support IPSec fragment packets, the only thing, VPN gateway should do, is to reassemble AH and ESP packets. In NAT Traversal, all IPSec packets are encapsulated by UDP header (port 500 or 4500). For first fragment, VPN gateway can only keep the packet with UDP port 500 and non-IKE marker. But for the second fragment, there is no UDP header. There is no way to know this fragment is UDP encapsulated IPSec packet or other UDP packets. That means VPN gateway should try to reassemble all UDP packets. This will affect VPN gateway throughput. It seems no way to solve this problem, right? Michael
- NAT Traversal and packet reassemble michael lin
- Re: NAT Traversal and packet reassemble Srinivasa Addepalli
- RE: NAT Traversal and packet reassemble Chris Trobridge
- RE: NAT Traversal and packet reassemble michael lin