nanog mailing list archives
Re: IPSEC and PAT
From: "Steven M. Bellovin" <smb () research att com>
Date: Thu, 13 Sep 2001 21:43:48 -0400
In message <912A91BC69F4D3119D1B009027D0D40C01BB45A7 () exchange1 secure insweb co m>, Vandy Hamidi writes:
It is working now. I've done it with Linksys and Netopia DSL routers. Software client on the laptop that DOES tunnel mode ESP. No AH and running through a PAT and it works flawlessly. I just want to know how it works, I've already determined that it does. The point where my logic fails is where PAT relies on modifying the TCP/UDP port numbers, an ESP packet has a standard IP header with an additional protocol 50 ESP header. Since there is no ports to change to create a table to keep track of which packet came from which internal client, what is used to keep track. Someone said something about the UDP encapsulation, but what about the NETOPIA which doesn't do that?
I repeat -- it doesn't do PAT. Some "routers" -- they're really no such thing, of course; they're NAT boxes and/or bridges -- allow one host behind them to speak IPsec. If a host emits a packet using ESP, it's tagged as *the* IPsec user; return IPsec packets are routed to that host. (Some of these boxes may use manual configuration instead or in addition.) You can't have two IPsec hosts, because there's no way to know which should receive incoming packets -- there's no relationship between inbound and outbound SPIs. As for the UDP encapsulation -- yes, the IETF's IPsec working group is moving in that direction. But it's not standardized yet, and there may be patent issues to sort through. --Steve Bellovin, http://www.research.att.com/~smb http://www.wilyhacker.com
Current thread:
- IPSEC and PAT Vandy Hamidi (Sep 13)
- <Possible follow-ups>
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)
- Re: IPSEC and PAT Adam Herscher (Sep 13)
- RE: IPSEC and PAT Vandy Hamidi (Sep 13)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)
- RE: IPSEC and PAT Tim Irwin (Sep 13)
- RE: IPSEC and PAT Vandy Hamidi (Sep 13)
- Re: IPSEC and PAT Tony Rall (Sep 13)
- Re: IPSEC and PAT Bora Akyol (Sep 13)
- Re: IPSEC and PAT Chris Grout (Sep 13)
- Re: IPSEC and PAT Adam Herscher (Sep 13)
- Re: IPSEC and PAT Bora Akyol (Sep 13)
- Re: IPSEC and PAT Steven M. Bellovin (Sep 13)