From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@lists.netfilter.org>
Subject: Re: SNAT before IPSec
Date: Fri, 08 Jun 2007 12:57:28 -0500 [thread overview]
Message-ID: <46699888.5000004@riverviewtech.net> (raw)
In-Reply-To: <web-75050127@bk1.webmaillogin.com>
On 06/07/07 15:57, Jorge Davila wrote:
> In your analysis you forget that the packet delivered by the Router A
> to Router B (or viceversa) is an encrypted packet. Once the packet in
> decrypted in the other end the headers are the headers of the
> original packets. Then, the scenary is more funny.
I was aware that IPSec encryption / decryption was going to take place.
It is my experience that current IPSec implementations which tunnel
traffic do so with the traffic looping through through the kernel twice,
once unencrypted and once encrypted then on the receiving end once
encrypted and then once decrypted. I was talking about doing the NATing
on the unencrypted / decrypted passes, not the encrypted pass.
You are right that including the encryption / decryption in the
discussion would have made things much more complex and entertaining to
look at.
Thankfully what I was trying to convey is done regardless of IPSec (the
way that I have messed with it) so it did not need to come in to the
discussion.
Thanks for the pointer. ;)
Grant. . . .
next prev parent reply other threads:[~2007-06-08 17:57 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-05 12:29 SNAT before IPSec noa levy
2007-06-05 12:56 ` Yasuyuki KOZAKAI
2007-06-05 14:36 ` Grant Taylor
2007-06-05 20:15 ` Jorge Davila
2007-06-05 20:28 ` Grant Taylor
2007-06-05 20:45 ` Jorge Davila
2007-06-05 23:53 ` Grant Taylor
2007-06-06 15:39 ` Jorge Davila
2007-06-06 18:48 ` Grant Taylor
2007-06-05 21:29 ` noa levy
2007-06-05 22:40 ` Jorge Davila
2007-06-05 22:40 ` noa levy
2007-06-05 22:59 ` Jorge Davila
2007-06-05 23:05 ` noa levy
2007-06-06 15:47 ` Jorge Davila
2007-06-07 15:40 ` noa levy
2007-06-07 16:36 ` Jorge Davila
2007-06-07 17:07 ` Grant Taylor
2007-06-07 18:03 ` Grant Taylor
2007-06-07 20:57 ` Jorge Davila
2007-06-08 17:57 ` Grant Taylor [this message]
2007-06-05 22:43 ` Jorge Davila
-- strict thread matches above, loose matches on Subject: below --
2007-06-04 22:43 noa levy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46699888.5000004@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gtaylor+reply@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.