[42203] in North American Network Operators' Group
Re: IPSEC and PAT
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Fri Sep 14 02:53:41 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: tim@eng.bellsouth.net
Cc: "Vandy Hamidi" <vhamidi@insweb.com>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 14 Sep 2001 02:52:52 -0400
Message-Id: <20010914065252.B0F0D7BFD@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <LCEKLACNFGLMOPOGNBNMMEBBCEAA.tim@eng.bellsouth.net>, "Tim Irwin" wr
ites:
>
>I looked at this a while back... I am dusting off the cobwebs of my mind, so
>no flames please. I believe that the NATing device must modify the SPI
>values. The sending device sends out an ESP packet with src addy of, say
>192.168.1.2, to the NAT router. The router must look at the TCP port to
>determine that it's IPSEC in order to figure out that it's a special case
>and NAT it. It then must modify the SPI value (which is partially made up
>of the src IP address) as it leaves because the NAT dst device will use the
>info in the SPI value in the formulation of it's reply.
>
>If this is wrong, please correct me... I'm interested in knowing as well.
That doesn't work -- the SPI is protected by ESP's authentication check
(section 2 of RFC 2406) or by AH (section 2 of RFC 2402).
--Steve Bellovin, http://www.research.att.com/~smb
http://www.wilyhacker.com
