Chapter 8
107
R2 blocks all telnet traffic from net 2 to net 1. 19. The ISP might want to prohibit attacks (such as the IP spoofing attack described in Exercise 5.17 or, for that matter, email spamming) launched by its own customers. 20. RFC 2402 and RFC 2406 are handy for this exercise. (a) IPsec ESP transport mode is incompatible with NAT. In the case of TCP/UDP packets, NAT would need to update the checksum in TCP/UDP headers, when an address in IP header is changed. However, as the TCP/UDP header is encrypted by the ESP, NAT would not be able to make this checksum update. As a result, TCP/UDP packets encrypted in transport mode ESP, traversing a NAT device will fail the TCP/UDP checksum validation on the receiving end and will simply not reach the target application. (b) IPsec ESP tunnel mode may work with NAT. Since IPsec ESP tunnel mode attach a new IP header and encapsulate the original IP packet in it. Since the way ESP encryption works is that it only encrypts and authenticate the IP payload, when the tunnel IP header gets stripped off, TCP/UDP checksum is preserved and still correct for the original IP packet. Therefore the original IP packet can reach the target application. (c) It is obvious that (a) will not work with PAT due to the same reasons above. Now, as for the case (b), clearly IPsec ESP tunnel mode will not work with PAT. PAT needs to look at the port numbers to do the translation, but those are encrypted by ESP. The case (b) only works in true NAT case. There is an effort called “NAT traversal� to work around this problem using UDP encapsulation. With NAT traversal, the case (b) may work with PAT.