Re: IPSEC Security Gateways & NAT
Ari Huttunen <Ari.Huttunen@F-Secure.com> Thu, 07 June 2001 17:28 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.9.3/8.9.3) with ESMTP id KAA29577; Thu, 7 Jun 2001 10:28:41 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id MAA23049 Thu, 7 Jun 2001 12:10:18 -0400 (EDT)
Message-ID: <3B1FA8A5.87F6B776@F-Secure.com>
Date: Thu, 07 Jun 2001 19:15:33 +0300
From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
Organization: F-Secure Corporation
X-Mailer: Mozilla 4.76 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: "Steven M. Bellovin" <smb@research.att.com>
CC: Joern Sierwald <joern.sierwald@F-Secure.com>, ipsec@lists.tislabs.com, Chris Trobridge <CTrobridge@baltimore.com>
Subject: Re: IPSEC Security Gateways & NAT
References: <20010607131627.C99717B84@berkshire.research.att.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
"Steven M. Bellovin" wrote: > > In message <3.0.5.32.20010607143550.047a3380@smtp.datafellows.com>, Joern Sierw > ald writes: > > >> > > > >The consensus among IPsec vendors is ESPoUDP. You use tunnel mode, > >and insert a UDP header in front of the ESP header. This is dead simple > >and works with normal NAT boxes. > > > > I don't know that I'd use the word "consensus" -- and I would note that > that SSH has claimed assorted patent rights to the concept, at least as > explained in draft-stenberg-ipsec-nat-traversal-*.txt. Consensus is perhaps too strong a word, but the suggestions I've seen are of two kinds: they modify the NAT box, or they put a UDP header in front of the ESP (or AH) header. If one has the assumption that NAT boxes can't be modified, I'd say the concensus is on UDP encapsulation. I've seen two SSH patent applications on this, and they didn't (seem to) cover simple UDP header in front of ESP header. They cover a lot of other things, but not that. The reason is probably that some hardware gateway vendors have had this in for years. I don't know exactly how long, but that's what someone told me in San Diego last fall. Ari -- Ari Huttunen phone: +358 9 2520 0700 Software Architect fax : +358 9 2520 5001 F-Secure Corporation http://www.F-Secure.com F(ully)-Secure products: Integrated Solutions for Enterprise Security
- IPSEC Security Gateways & NAT Chris Trobridge
- Re: IPSEC Security Gateways & NAT Joern Sierwald
- Re: IPSEC Security Gateways & NAT Steven M. Bellovin
- RE: IPSEC Security Gateways & NAT Chris Trobridge
- Re: IPSEC Security Gateways & NAT Pyda Srisuresh
- Re: IPSEC Security Gateways & NAT Sandy Harris
- Re: IPSEC Security Gateways & NAT Ari Huttunen
- RE: IPSEC Security Gateways & NAT Andrew Krywaniuk
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Scott G. Kelly
- RE: IPSEC Security Gateways & NAT Chen, David
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT jshukla
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chris Trobridge
- Re: IPSEC Security Gateways & NAT jshukla
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Riley, Susie
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- RE: IPSEC Security Gateways & NAT Riley, Susie
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Chen, David
- RE: IPSEC Security Gateways & NAT Chris Trobridge
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Chen, David
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT jshukla
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT sankar ramamoorthi
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Dan Harkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Hilarie Orman
- RE: IPSEC Security Gateways & NAT (3 issues) Andrew Krywaniuk
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT Hugo Krawczyk
- Re: IPSEC Security Gateways & NAT Hugo Krawczyk
- RE: IPSEC Security Gateways & NAT (3 issues) Hugo Krawczyk
- RE: IPSEC Security Gateways & NAT sankar ramamoorthi
- RE: IPSEC Security Gateways & NAT (3 issues) Andrew Krywaniuk
- Re: IPSEC Security Gateways & NAT Dan Harkins
- Fwd: Re: IPSEC Security Gateways & NAT Hilarie Orman
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Dan Harkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Ricky Charlet
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT sankar ramamoorthi
- RE: IPSEC Security Gateways & NAT Andrew Krywaniuk
- Re: IPSEC Security Gateways & NAT Dan Harkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT Dan Harkins
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT jshukla
- RE: IPSEC Security Gateways & NAT Chen, David
- Re: IPSEC Security Gateways & NAT jshukla
- Re: IPSEC Security Gateways & NAT Hugo Krawczyk
- Re: IPSEC Security Gateways & NAT Ari Huttunen
- Re: IPSEC Security Gateways & NAT Bill Sommerfeld
- RE: IPSEC Security Gateways & NAT Andrew Krywaniuk
- Re: IPSEC Security Gateways & NAT Hilarie Orman
- Re: IPSEC Security Gateways & NAT Derek Atkins
- Re: IPSEC Security Gateways & NAT Hilarie Orman
- Re: IPSEC Security Gateways & NAT Bill Sommerfeld
- RE: IPSEC Security Gateways & NAT Chen, David
- RE: IPSEC Security Gateways & NAT Aronson, David
- RE: IPSEC Security Gateways & NAT Chen, David