North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IPSEC and PAT
In message <[email protected]>, "Tim Irwin" wr ites: > >I looked at this a while back... I am dusting off the cobwebs of my mind, so >no flames please. I believe that the NATing device must modify the SPI >values. The sending device sends out an ESP packet with src addy of, say >192.168.1.2, to the NAT router. The router must look at the TCP port to >determine that it's IPSEC in order to figure out that it's a special case >and NAT it. It then must modify the SPI value (which is partially made up >of the src IP address) as it leaves because the NAT dst device will use the >info in the SPI value in the formulation of it's reply. > >If this is wrong, please correct me... I'm interested in knowing as well. That doesn't work -- the SPI is protected by ESP's authentication check (section 2 of RFC 2406) or by AH (section 2 of RFC 2402). --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com
|