[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ike source port (was: issues with IKE that need resolution)
The issue is:
Is it ok for the source port for IKE to be something other than
port 500?
Hopefully it is ok, as this eases ipsec across NAT boxes, for
example. I asked several ipsec-ers this question in Chicago, but there
seems to be no clear answer. ISAKMP specifies that 500 must be supported
on both source and destination. However, it does not say that 500 is the
only port number possible. Allowing the source port to vary does not
seem to have security implications, because source and destination
ports are already included in the hash. What do most implementations
do when they get an ike packet whose source port is not 500?
Of course, the same question applies to the destination port, but at least
in the soho scenario, an unconstrained source port is what's important
(assuming the clients behind the "nat" box are the initiators of ike
sessions with legacy ike responders out on the internet).
Requiring source port to always be set to 500 means that the "nat/nar" box
would have to have a pool of addresses to lend out to internal clients.
The very common soho case in which the "nat/nar" box has only one ip
address (perhaps obtained dynamically from its ISP) would not be supported.
------------------
More info:
I've been thinking about enabling IPSEC (and others) across intermediate
boxes (NATs, proxies, gateways, whatever). My proposal on how
to do it is called NAR (negotiated address reuse):
draft-montenegro-aatn-nar-00.txt
The chicago presentation is available as
http://playground.sun.com/~gab/talks/nar-ietf42.{PDF,ppt}
-gabriel
Follow-Ups: