Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IPSEC and PAT

  • From: Steven M. Bellovin
  • Date: Fri Sep 14 02:55:51 2001 
In message <LCEKLACNFGLMOPOGNBNMMEBBCEAA.tim@eng.bellsouth.net>, "Tim Irwin" wr
ites:

>
>I looked at this a while back... I am dusting off the cobwebs of my mind, so
>no flames please.  I believe that the NATing device must modify the SPI
>values.  The sending device sends out an ESP packet with src addy of, say
>192.168.1.2, to the NAT router.  The router must look at the TCP port to
>determine that it's IPSEC in order to figure out that it's a special case
>and NAT it.  It then must modify the SPI value (which is partially made up
>of the src IP address) as it leaves because the NAT dst device will use the
>info in the SPI value in the formulation of it's reply.
>
>If this is wrong, please correct me... I'm interested in knowing as well.

That doesn't work -- the SPI is protected by ESP's authentication check 
(section 2 of RFC 2406) or by AH (section 2 of RFC 2402).

		--Steve Bellovin, http://www.research.att.com/~smb
				  http://www.wilyhacker.com


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.