North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Steven M. Bellovin
  • Date: Fri Sep 14 02:55:51 2001

In message <[email protected]>, "Tim Irwin" wr

>I looked at this a while back... I am dusting off the cobwebs of my mind, so
>no flames please.  I believe that the NATing device must modify the SPI
>values.  The sending device sends out an ESP packet with src addy of, say
>, to the NAT router.  The router must look at the TCP port to
>determine that it's IPSEC in order to figure out that it's a special case
>and NAT it.  It then must modify the SPI value (which is partially made up
>of the src IP address) as it leaves because the NAT dst device will use the
>info in the SPI value in the formulation of it's reply.
>If this is wrong, please correct me... I'm interested in knowing as well.

That doesn't work -- the SPI is protected by ESP's authentication check 
(section 2 of RFC 2406) or by AH (section 2 of RFC 2402).

		--Steve Bellovin,