Home page logo
/

nanog logo nanog mailing list archives

RE: IPSEC and PAT
From: Vandy Hamidi <vhamidi () insweb com>
Date: Thu, 13 Sep 2001 18:36:55 -0700


It is working now.  I've done it with Linksys and Netopia DSL routers.
Software client on the laptop that DOES tunnel mode ESP.  No AH and running
through a PAT and it works flawlessly.  I just want to know how it works,
I've already determined that it does.
The point where my logic fails is where PAT relies on modifying the TCP/UDP
port numbers, an ESP packet has a standard IP header with an additional
protocol 50 ESP header.  Since there is no ports to change to create a table
to keep track of which packet came from which internal client, what is used
to keep track.
Someone said something about the UDP encapsulation, but what about the
NETOPIA which doesn't do that?

        -=Vandy=-

-----Original Message-----
From: Steven M. Bellovin [mailto:smb () research att com]
Sent: Thursday, September 13, 2001 5:21 PM
To: Vandy Hamidi
Cc: nanog () merit edu
Subject: Re: IPSEC and PAT 


In message
<912A91BC69F4D3119D1B009027D0D40C01BB459C () exchange1 secure insweb co
m>, Vandy Hamidi writes:

I know that in Tunnel Mode, IPsec can be NATed and PATed (without IKE on
UDP
500 being used), but as I'm trying to break down the process of  how it is
working, I've been stumped by this:
NAT - Changes source IP during translation
PAT - Changes source IP and TCP/UDP port to another to track multiple to
one
translations.
My question is, how does PAT track the packets with their internal hosts
when there is not a TCP/UDP header to translate.
How does it know which "internal" host a returning ESP packet must be
forwarded to after it un PATs the incoming packet?
thanks and I hope this isn't a totally stupid question.  If it is, humor me
;),

IPsec can't be PATted, because the TCP and UDP port numbers are in the 
protected part of the packet.

                --Steve Bellovin, http://www.research.att.com/~smb
                                  http://www.wilyhacker.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]