IPSEC and PAT
Steven M. Bellovin
smb at research.att.com
Fri Sep 14 06:52:52 UTC 2001
In message <LCEKLACNFGLMOPOGNBNMMEBBCEAA.tim at eng.bellsouth.net>, "Tim Irwin" wr
ites:
>
>I looked at this a while back... I am dusting off the cobwebs of my mind, so
>no flames please. I believe that the NATing device must modify the SPI
>values. The sending device sends out an ESP packet with src addy of, say
>192.168.1.2, to the NAT router. The router must look at the TCP port to
>determine that it's IPSEC in order to figure out that it's a special case
>and NAT it. It then must modify the SPI value (which is partially made up
>of the src IP address) as it leaves because the NAT dst device will use the
>info in the SPI value in the formulation of it's reply.
>
>If this is wrong, please correct me... I'm interested in knowing as well.
That doesn't work -- the SPI is protected by ESP's authentication check
(section 2 of RFC 2406) or by AH (section 2 of RFC 2402).
--Steve Bellovin, http://www.research.att.com/~smb
http://www.wilyhacker.com
More information about the NANOG
mailing list