nanog mailing list archives
Re: Block all servers?
From: Crist Clark <crist.clark () globalstar com>
Date: Tue, 14 Oct 2003 10:07:45 -0700
Stefan Mink wrote:
On Sat, Oct 11, 2003 at 08:28:11AM -0700, ken emery wrote:I use IPSEC and it works fine behind NAT.Yes, it does work, on a small scale. However what if your neighbor wants to IPSEC to the same place (say you work at the same place). If both of you are NAT'd from the same IP address trying to IPSEC to the same IP address? I don't believe things will work in this instance.why not? We use it here, works fine (with certificates for auth).
OK, let's do this one more time. Many-to-one NAT of a many-to-one ESP VPN does not work. (Period) Why? There is no way for the NAT device to map the ESP packets to the nodes it "hides." You say, "The SPI field is perfect for maintaining a translation table!" It would be accept for one very big problem. IPsec is a peer-to-peer protocol. Either side may renegotiate the SAs at any time. While using IKE[0], the SPI passes the NAT device in the _encrypted_ payloads. The NAT device never sees the SPI until the ESP starts flowing. Also, keep in mind the SPI is _not_ symmetric. So, now we have two machines behind a NAT device, and both want to have an ESP VPN to the same machine. What does the NAT device do when it receives an ESP packet from the exterior end of the ESP VPN tunnel? How does it decide which of the internal ends to send it to? The SPI has nothing to do with the outgoing SPIs (if it even has seen any outgoing ESP yet). It cannot pull the SPI out of the IKE. You can try timing, if it's a new SPI, try sending it to the last one that had a IKE conversation, but that is a guess, what happens if two happen to negotiate at once? And if you guess wrong, things do not fail and recover for the VPN players. So, you cannot NAT ESP in the general case. Thus we have all of the rather grotesque kludges of wrapping the ESP in another transport layer of UDP or TCP so that the NAT devices have some port numbers to play with. If your IPsec VPN works through NAT, the NATer is making some assumptions (usually it only will support a single IPsec end point behind it which solves the "who do I send the ESP to" problem) or your VPN software has a Draft or vendor kludge to wrap the IPsec in something more NAT friendly. Note again that "NAT" above implies "many-to-one NAT." This problem disappears in a one-to-one NAT configuration where only authentication and integrity issues, which can be dealt with within IPsec, come into play. If someone has figured out a way around this, I would love to hear about it. [0] The fact you don't need to use IKE to set up SAs makes the problem even more intractable. A NAT device would have to know of every possible way to configure SPIs. -- Crist J. Clark crist.clark () globalstar com Globalstar Communications (408) 933-4387 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster () globalstar com
Current thread:
- Block all servers? Michael . Dillon (Oct 10)
- RE: Block all servers? Christopher Bird (Oct 10)
- Message not available
- RE: Block all servers? Eric Kuhnke (Oct 10)
- RE: Block all servers? Christopher Bird (Oct 10)
- Re: Block all servers? Adam Selene (Oct 10)
- Re: Block all servers? ken emery (Oct 10)
- Re: Block all servers? Adam Selene (Oct 11)
- Re: Block all servers? ken emery (Oct 11)
- Re: Block all servers? Stefan Mink (Oct 14)
- Re: Block all servers? Crist Clark (Oct 14)
- Re: Block all servers? Stefan Mink (Oct 14)
- Re: Block all servers? Kee Hinckley (Oct 14)
- Re: Block all servers? Crist Clark (Oct 14)
- Re: Block all servers? Steven M. Bellovin (Oct 14)
- RE: Block all servers? Eric Kuhnke (Oct 10)
- Re: Block all servers? Alex Yuriev (Oct 11)
- Re: Block all servers? Steven M. Bellovin (Oct 11)
- Re: Block all servers? ken emery (Oct 11)
- RE: Block all servers? Terry Baranski (Oct 11)
- Re: Block all servers? Petri Helenius (Oct 12)
- Re: Block all servers? Majdi S. Abbas (Oct 10)