From owner-freebsd-net  Fri Oct 18 22:58:27 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 591F737B401; Fri, 18 Oct 2002 22:58:26 -0700 (PDT)
Received: from mail.allcaps.org (h-66-166-142-198.SNDACAGL.covad.net [66.166.142.198])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4DD1B43E7B; Fri, 18 Oct 2002 22:58:25 -0700 (PDT)
	(envelope-from bsder@mail.allcaps.org)
Received: by mail.allcaps.org (Postfix, from userid 501)
	id 785751550C; Fri, 18 Oct 2002 22:58:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by mail.allcaps.org (Postfix) with ESMTP
	id 6C8DA1550B; Fri, 18 Oct 2002 22:58:22 -0700 (PDT)
Date: Fri, 18 Oct 2002 22:58:22 -0700 (PDT)
From: "Andrew P. Lentvorski" <bsder@mail.allcaps.org>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>
Cc: Matthew Zahorik <matt@hottub.org>, <freebsd-net@FreeBSD.ORG>
Subject: Re: IPSEC/NAT issues
In-Reply-To: <20021018182522.GC45449@blossom.cjclark.org>
Message-ID: <20021018222132.P68535-100000@mail.allcaps.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Fri, 18 Oct 2002, Me, Myself, and I blathered:
> You cannot NAT an IPSEC packet.  NAT rewrites the IP headers and the
> packet will get rejected when it reaches the other IPSEC node.

I still stand by my original statement.  However, it won't be true for
much longer.  There is now a draft document (as of August 18, 2002) for
dealing with NAT traversal.

http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-02.txt

<quote>
a) Incompatibility between IPsec AH [RFC2402] and NAT. Since the AH header
   incorporates the IP source and destination addresses in the
   keyed message integrity check, NAT or reverse NAT devices making changes
   to address fields will invalidate the message integrity check.
   Since IPsec ESP [4] does not incorporate the IP source and
   destination addresses in its keyed message integrity check,
   this issue does not arise for ESP.

b) Incompatibility between checksums and NAT. TCP/UDP/SCTP
   checksums have a dependency on the IP source and destination
   addresses through inclusion of the "pseudo-header" in the
   calculation. As a result, where checksums are calculated and
   checked on receipt, they will be invalidated by passage through
   a NAT or reverse NAT device.

   As a result, IPsec ESP will only pass unimpeded through a NAT if
   TCP/UDP/SCTP protocols are not involved (as in IPsec tunnel
   mode or IPsec/GRE), or checksums are not calculated (as is
   possible with IPv4 UDP)
</quote>

-a


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message