nanog mailing list archives

Re: IPSEC and PAT

From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 14 Sep 2001 02:52:52 -0400


In message <LCEKLACNFGLMOPOGNBNMMEBBCEAA.tim () eng bellsouth net>, "Tim Irwin" wr
ites:


I looked at this a while back... I am dusting off the cobwebs of my mind, so
no flames please.  I believe that the NATing device must modify the SPI
values.  The sending device sends out an ESP packet with src addy of, say
192.168.1.2, to the NAT router.  The router must look at the TCP port to
determine that it's IPSEC in order to figure out that it's a special case
and NAT it.  It then must modify the SPI value (which is partially made up
of the src IP address) as it leaves because the NAT dst device will use the
info in the SPI value in the formulation of it's reply.

If this is wrong, please correct me... I'm interested in knowing as well.


That doesn't work -- the SPI is protected by ESP's authentication check 
(section 2 of RFC 2406) or by AH (section 2 of RFC 2402).

                --Steve Bellovin, http://www.research.att.com/~smb
                                  http://www.wilyhacker.com

Current thread:

Re: IPSEC and PAT, (continued)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)
- Re: IPSEC and PAT Adam Herscher (Sep 13)
- RE: IPSEC and PAT Vandy Hamidi (Sep 13)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)
  - RE: IPSEC and PAT Tim Irwin (Sep 13)
- RE: IPSEC and PAT Vandy Hamidi (Sep 13)
- Re: IPSEC and PAT Tony Rall (Sep 13)
  - Re: IPSEC and PAT Bora Akyol (Sep 13)
    - Re: IPSEC and PAT Chris Grout (Sep 13)
    - Re: IPSEC and PAT Adam Herscher (Sep 13)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)