IPSEC and PAT

Steven M. Bellovin smb at research.att.com
Fri Sep 14 01:43:48 UTC 2001


In message <912A91BC69F4D3119D1B009027D0D40C01BB45A7 at exchange1.secure.insweb.co
m>, Vandy Hamidi writes:
>It is working now.  I've done it with Linksys and Netopia DSL routers.
>Software client on the laptop that DOES tunnel mode ESP.  No AH and running
>through a PAT and it works flawlessly.  I just want to know how it works,
>I've already determined that it does.
>The point where my logic fails is where PAT relies on modifying the TCP/UDP
>port numbers, an ESP packet has a standard IP header with an additional
>protocol 50 ESP header.  Since there is no ports to change to create a table
>to keep track of which packet came from which internal client, what is used
>to keep track.
>Someone said something about the UDP encapsulation, but what about the
>NETOPIA which doesn't do that?

I repeat -- it doesn't do PAT.  Some "routers" -- they're really no 
such thing, of course; they're NAT boxes and/or bridges -- allow one 
host behind them to speak IPsec.  If a host emits a packet using ESP, 
it's tagged as *the* IPsec user; return IPsec packets are routed to 
that host.  (Some of these boxes may use manual configuration instead 
or in addition.)  You can't have two IPsec hosts, because there's no 
way to know which should receive incoming packets -- there's no 
relationship between inbound and outbound SPIs.

As for the UDP encapsulation -- yes, the IETF's IPsec working group is 
moving in that direction.  But it's not standardized yet, and there may 
be patent issues to sort through.

		--Steve Bellovin, http://www.research.att.com/~smb
				  http://www.wilyhacker.com





More information about the NANOG mailing list