[ale] IPSEC Operations Issues
Joseph A Knapka
jknapka at earthlink.net
Sun Sep 29 20:05:31 EDT 2002
Chris Ricker wrote:
>
> ESP and AH can both be done in two different modes, transport or tunnel.
> Transport modifies (adds encryption / authentication info to) the existing
> IP packet, while tunnel encapsulates it within a new IP packet.
>
> AH transport looks something like:
>
> ______________________________________________________
> | original IP header | AH | TCP / UDP header | payload |
> ------------------------------------------------------
> < ---------------- Authenticated --------------------->
>
> AH tunnel looks something like:
>
> __________________________________________________________________
> | new IP header | AH | orig IP header | TCP / UDP header | payload |
> ------------------------------------------------------------------
> <-------------------------- Authenticated ------------------------->
>
>
> AH authenticates almost everything in either mode, though it does always
> exclude a few fields in the IP header which have to be dynamic as the packet
> is routed; specifically, I think ToS, Flags, Fragment, TTL, and the chksum
> aren't included in the AH chksum. As a result, neither NAT nor PAT are
> compatible with AH.
>
> ESP's a little different. It can't encrypt the IP header, since the header
> must be accessible for routing decisions as the packet traverses the
> network. This is going to mean that NAT (usually) works, but PAT still
> doesn't.
>
> ESP transport looks something like:
> _____________________________________________________________
> | original IP header | ESP | TCP / UDP header | payload | ESP |
> -------------------------------------------------------------
> <--------- Authenticated ---->
> <-------------- Encrypted --------->
>
> ESP tunnel looks something like:
>
> _________________________________________________________________________
> | new IP header | ESP | orig IP header | TCP / UDP header | payload | ESP |
> -------------------------------------------------------------------------
> <--------------- Authenticated --------------->
> <---------------- Encrypted ------------------------>
>
> So, in ESP transport mode the IP header isn't secured; NAT works fine. In
> ESP tunnel mode the original IP header is secured, but the encapsulating IP
> header isn't. Whether NAT will be problematic or not will depend on both
> where the NAT is occurring, and where the IPSec encapsulation /
> decapsulation is occurring. In either transport or tunnel mode, the TCP /
> UDP segment header is encrypted, so PAT is not possible....
Forgive my ignorance, but I have a Cisco VPN client on my Windows
machine that claims to be IPSec-compatible, and it seems to work
OK through my PAT firewall. How is this possible, given the nature
of AH and ESP? Perhaps it is tunnelling the entire IPSec session
within a normal TCP/IP connection?
-- Joe
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list