Subject: NAT-T and source address checking
To: None <tech-net@netbsd.org>
From: Emmanuel Dreyfus <manu@netbsd.org>
List: tech-net
Date: 04/23/2005 22:05:46
Hi
Various comments in the code suggests that RFC2401 prohibit checking the
source address. There is also a comment telling that we could need it
and the situation is "tricky".
Anyone can explain the problem to me? After hacking the code for two
weeks, I have the feeling that I can't avoid checking the source address
to distinguish the machines behind the NAT, and this what I do in the
code I committed.
Maybe that deserves to be fixed, but I don't really understand how
checking the source address is wrong: the reason I found in RFC2401
(which I have not fully readen, it's rather long) is that is that an
ICMP message could come from a router between the endpoints, but there
is no SA between that router and the endpoint, so how could that happen?
--=20
Emmanuel Dreyfus
Publicit=E9 subliminale: achetez ce livre!
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@netbsd.org