IPSEC and PAT

• Previous message (by thread): IPSEC and PAT
• Next message (by thread): Assistance (mildly OT)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <LCEKLACNFGLMOPOGNBNMMEBBCEAA.tim at eng.bellsouth.net>, "Tim Irwin" wr
ites:

>
>I looked at this a while back... I am dusting off the cobwebs of my mind, so
>no flames please.  I believe that the NATing device must modify the SPI
>values.  The sending device sends out an ESP packet with src addy of, say
>192.168.1.2, to the NAT router.  The router must look at the TCP port to
>determine that it's IPSEC in order to figure out that it's a special case
>and NAT it.  It then must modify the SPI value (which is partially made up
>of the src IP address) as it leaves because the NAT dst device will use the
>info in the SPI value in the formulation of it's reply.
>
>If this is wrong, please correct me... I'm interested in knowing as well.

That doesn't work -- the SPI is protected by ESP's authentication check 
(section 2 of RFC 2406) or by AH (section 2 of RFC 2402).

		--Steve Bellovin, http://www.research.att.com/~smb
				  http://www.wilyhacker.com

• Previous message (by thread): IPSEC and PAT
• Next message (by thread): Assistance (mildly OT)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]