[42168] in North American Network Operators' Group
Re: IPSEC and PAT
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Sep 13 20:25:15 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Vandy Hamidi <vhamidi@insweb.com>
Cc: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 13 Sep 2001 20:21:06 -0400
Message-Id: <20010914002107.15F3A7BFD@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <912A91BC69F4D3119D1B009027D0D40C01BB459C@exchange1.secure.insweb.co
m>, Vandy Hamidi writes:
>
>I know that in Tunnel Mode, IPsec can be NATed and PATed (without IKE on UDP
>500 being used), but as I'm trying to break down the process of how it is
>working, I've been stumped by this:
>NAT - Changes source IP during translation
>PAT - Changes source IP and TCP/UDP port to another to track multiple to one
>translations.
>My question is, how does PAT track the packets with their internal hosts
>when there is not a TCP/UDP header to translate.
>How does it know which "internal" host a returning ESP packet must be
>forwarded to after it un PATs the incoming packet?
>thanks and I hope this isn't a totally stupid question. If it is, humor me
>;),
IPsec can't be PATted, because the TCP and UDP port numbers are in the
protected part of the packet.
--Steve Bellovin, http://www.research.att.com/~smb
http://www.wilyhacker.com
