[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Jul 2009 19:02:35 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: herbert@...dor.apana.org.au
Cc: christophe@...ut.de, netdev@...r.kernel.org
Subject: Re: [RFC] Fixing up TCP/UDP checksum for UDP encap. ESP4 packets
in transport mode
From: Herbert Xu <herbert@...dor.apana.org.au>
Date: Tue, 7 Jul 2009 09:58:50 +0800
> On Mon, Jul 06, 2009 at 06:54:11PM -0700, David Miller wrote:
>>
>> Hmmm, aren't we talking about packets which were protected by either a
>> hash, strong encryption, or both at some point?
>
> Only if there is no inner NAT, i.e., only if this patch isn't
> needed. Otherwise
>
> Source --- GW1 ---- GW2 --- Dest
>
> the path between Source and GW1, will be unprotected if transport
> mode is used between GW1 and GW2. The only bit protected by IPsec's
> hash is between GW1 and GW2.
>
> When the traffic comes back, then the bit between Dest and GW2 will
> be unprotected. This is why the only safe way to use this would be
> if your traffic is one-way and you only had inner NAT at the other
> end.
I see. So people are using transport IPSEC + NAT as a kind of
specialized tunnel.
Indeed, there is no way to handle checksums sanely. The whole
end-to-end protection of the checksum would be entirely subverted
if we fixed it up.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists